Another way Microsoft is disrupting the malware ecosystem

Like it or not, in today’s world, online advertising plays a large and important role in supporting the web.
Pay-per-click (PPC) advertising, born in 1998, created a system whereby advertisers only pay when potential customers click on an advertisement's link. This system allowed companies to target very specific market segments, better gauge sales campaign performance and to only pay for what was clicked. This helped drive demand for publishers. Publishers are those people with websites or apps that attract visitors. These publishers display advertisements and get paid by an advertiser when one of their visitors clicks on an advertisement.


Online click-fraud is the intentional misappropriation of advertising revenue by generating a click that doesn’t originate from a potential customer, or by hijacking a click from the rightful publisher.
A very simple example of this could be John Doe creating a web site and displaying advertising links on this website, and then clicking on those links himself. The advertiser would be paying John Doe for those clicks under the assumption they were from real customers who are potentially interested in a product.


So what does this mean to you?
Online advertising is a large business. $32 billion was spent on it in 2011 (Olmstead, 2012), supporting key web services that we all use. And click-fraud is rampant, with 22% of all ad-clicks being fraudulent (Vacha Dave, 2012).
Consumers pay more, albeit fractionally, for products whose marketing revenue is stolen by spurious clicks.
Apps and services that are offered free of charge (such as search engines and smart phone games) are supported by online advertising. This kind of crime, known as click-fraud, erodes that support.
The overall health of digital commerce depends upon having a safe and secure market place where businesses can thrive.


One particular way criminals make money via click-fraud is to put malicious software (malware) on your computer to perpetrate spurious clicks.
In the simple case of John Doe above, it would be easy to detect all of his clicks because they came from a single IP address and never yielded a "conversion". A conversion is defined by the advertiser as the desired action taken by the potential customer after clicking on an advertisement; this could include purchasing a product or signing up for a service.
But if these fraudulent clicks were coming from various geographies all over the world, each behaving as unique as an individual while browsing the internet, it becomes much harder to detect them.
And since it is not a simple relationship of who benefits directly from a malicious click, nor is the advertising market structurally designed for accountability, it is challenging to detect and prevent this fraud.
Typically these fraudulent clicks go through many layers of publishers, affiliates and syndication schemes. Affiliates produce traffic to sites, and advertisements are syndicated from site A to site B to site C, where each site takes a cut of the advertisement's profit on a click.
The complexity and opaqueness of where traffic comes from, and who benefits from a single click, is a new digital "Wild West", fertile for unscrupulous cyber-slingers.
And though the actual malware author may make a small fraction of money from a click, through this Gordian web of publishers, affiliates and syndications, done enough times it can all add up to be quite lucrative.


The Microsoft Malware Protection Center (MMPC) has teamed up with the Microsoft Online Forensics team in AdCenter to thwart criminals from using malware to profit in this way.
Since 60% to 70% of malware today employs some form of click-fraud to monetize (NSS Labs, 2012), this is an important link to target in any comprehensive disruption plan.
We are intersecting large data sets between malware telemetry and ad-clicks to detect anomalous behavior correlated to malware. And we are taking two relatively disparate domains of expertise and tools, namely malware and online advertising, and creating prevention systems and processes for identifying the entire chain of benefactors of click-fraud malware. In this way, we're stopping the flow of illicit money at the AdCenter level. To date, we have identified three malicous software families monetizing in this manner and have recouped those ill-gotten gains from the benefactors.


We are doing this to create the highest quality online market for businesses, to provide the best possible online user experience for our customers, and to reduce the economics of malware monetizing via click-fraud.



-Nikola Livic


Works cited

NSS Labs, M. (2012). Internal study.
Olmstead, K. (2012). Digital: By the Numbers. The State of the News Media 2012, An Annual Report of American Journalism.
Vacha Dave, S. G. (2012). Measuring and Fingerprinting Click-Spam in Ad Neworks. SIGCOMM.

Comments (3)

  1. Slater Sun says:

    just say something

  2. Brittany says:

    I just got hit today by a install with a Troj.W32.Gen.lvdM in it and no virus scanner can seem to find it it was after the 2end install of windows i was poking around after installing logo maker, I seen a file called> exe.exe< ??? That it how I found it Did a online scan and it was confirmed As a website owner how can help stop this. How do I know if my built search engine and website has any bad coding to it, Very frustrating No wonder no one is making money or donating anymore ??
    Also you should have a share button on this page,

Skip to main content