Submit to DiggSubmit to FacebookSubmit to Google PlusSubmit to StumbleuponSubmit to Twitter

The Asprox Botnet


Update!

At the time this article was written, this type of ad-fraud bot was thought to be Asprox. Later, it was generally accepted that this ad-fraud bot was called "Rerdom" and usually packaged along side "Zemot" and possible "Rovnix". This ad-fraud system IS/WAS the primary ad-fraud bot of Asprox and Asprox was probably the primary user of Rerdom, but other botnets later used Rerdom, and Asprox was also known to use other ad-fraud bots (THL has seen Asprox use Asterope/Ropest and Fleervicet on rare occasions). Anyway, so you know, this Ad-Fraud system isn't organic or inherent to Asprox alone.  Ok, back to the article....


 

*note* This was a hastily-written article that focuses on one instance, stream by stream. for a more generallized explanation of Asprox botnet ad fraud, see General Overview 1.

The Asprox Botnet is a network of infected computers, compromised servers, and command and control systems which allows the owners to use the infected computers for whatever purpose they like.

The malware used to gain control of computers is often called Kuluoz or Dofoil.

One use for the infected computers is to distribute more malware, to grow the botnet.

Another use is for advertisement fraud, eg: click fraud, referral fraud, and impression laundering. This post is intended to document one instance of advertisement fraud I found while experimenting with a Kuluoz/Dofoil trojan.

For more information on Asprox as a system:

Herrcore's article: Inside Asprox / Kuluoz Oct-Dec 2013

Kimberly's article: StopMalvertising: Analysis of Kuluoz Asprox encryption

Michal's article: Asprox Malware Phishing As A Service

Trend Micro's article: Asprox reborn [PDF]

The initial trojan

The trojan came from a fake "Notice to Appear" court email, in the skadden.com / Skadden, Arps, Slate, Meagher & Flom version that I got on 29 December 2013.

Raw email: http://pastebin.com/j0rK0pPi  (To: domain name changed)

Court_Notice_NY_Meagher_and_Flom.exe : VirusTotal report | Malwr report

These Asprox botnet trojans are often called Kuluoz and Dofoil.

On 31 December 2013, I ran the trojan.

This was actually my 3rd clickbot/adbot. It is just VERY time-consuming to comb through the data and make sense of it.

Time-line of network traffic

I was smarter this time around with the network capturing. I actually started the capture pretty much when I double-clicked the exe file.

All traffic here is http unless otherwise specified. And referer and referrer are used interchangeably so don't get all wrapped up on that.

0 seconds  103.14.200.33:8080/BF5B25D931...  POST encrypted x-www-form-urlencoded data and received about a 60k encrypted response.

2.84  net-forwarding.com/b/shoe/159 GET and got a 404 Not Found nginx response. net-forwarding.com was at 193.105.210.113.

9.58  net-forwarding.com/b/shoe/159 GET and got a 404 Not Found nginx response. Again.

9.98  pap-tech.com/media/video/ GET and received about 167k response, Content-Disposition: attachment; filename=exe.exe | VirusTotal report on this exe file. pap-tech.com was at 109.163.239.246.

15-ish seconds : computer reboots

101.22 pap-tech.com/soft32.dll GET and received about 109k response, Content-Type: application/x-msdos-program. GNU/Linux "files" reports file to be "data", "strings" shows no usable info | VirusTotal report.

103.54  kar-gen-pl1.net/b/eve/90341462bab59bfe35e09712 GET and received a Connection: keep-alive "hi!" response. kar-gen-pl1.net was at 176.73.253.215.

158.45  kar-gen-pl1.net/b/opt/DBB29800B8F9EB9F92786403 POST 178 bytes of encrypted  content, received about 149 bytes of encrypted content in response. kar-gen-pl1.net this time pointed to 37.122.25.15.

 then, 8 more back-and-forth posts and encrypted data responses, last one starts around 329.80 seconds. All of these are to kar-gen-pl1.net at 37.122.25.15.

330.98 Fake website traffic starts. A series of cookie-cutter face search websites, all on the same IP, 109.163.239.246,  as pap-tech.com where the trojan updated itself.

 just-get.com
search-cool.com
listsaudiocname.com
findthegoodway.com
papfind.net
finditrightway.com
marketing-nowsearch.com

  .. up to around 335.86, the infected hosts finished up loading the css and images for the fake search pages.

335.86  A bunch of calls to regir-clk.com with the fake search pages as the Referer (Referrer), which are 302 redirected to different places. regir-clk.com was at 37.221.168.34. We will call these the first-level 302 redirects.

  regir-clk.com with referer: listsaudiocname.com gets 302 Moved Temporarily to   74.50.103.13

  regir-clk.com with referer: finditrightway.com  gets 302 Moved Temporarily to 216.172.63.115/...

  regir-clk.com with referer: search-cool.com gets 302 Moved Temporarily to n.clickga.com/...

  regir-clk.com with referer: findthegoodway.com gets 302 Moved Temporarily to 1928705294.xml.diprotector.com/...

  regir-clk.com with referer: just-get.com gets 302 Moved Temporarily to 74.50.103.14/...

  regir-clk.com with referer: papfind.net gets 302 Moved Temporarily to n.clickga.com/...

  regir-clk.com with referer: marketing-nowsearch.com gets 302 Moved Temporarily to 74.50.103.89/...

396.52  The first-level 302 redirects start loading.

  1928705294.xml.diprotector.com/... with referer: findthegoodway.com gets 302 Moved Temporarily to www.unlimiclick.com/andi

 74.50.103.13/... with referer: listsaudiocname.com gets 302 Moved Temporarily to c.t.c.adlinker.net/...

  74.50.103.14/... with referer: just-get.com gets 302 Moved Temporarily to c.t.c.adlinker.net/...

  216.172.63.115/... with referer: finditrightway.com gets 302 Moved Temporarily to c4.findology.com/...

  n.clickga.com/... with referer: papfind.net gets 302 Moved Temporarily to clickered.com/...

  n.clickga.com/... with referer: search-cool.com get 302 Moved Temporarily to xml.digitaltrafficgroup.com/...

  74.50.103.89/... with referer: marketing-nowsearch.com gets 302 Moved Temporarily to c.t.c.adlinker.net/click/...

336.406 The second-level 302 redirects start loading.

  www.unlimiclick.com/andi GET with Referer:  findthegoodway.com and gets a 200 OK response with html that creates the most God-awful website that contains nothing but advertisements and popups of more advertisements. Complete garbage ad-fraud site.  Patebin here. This causes calls to ads.clicksor.com/newServing/showAd.php?nid=1&pid=3181... and much more.

  c.t.c.adlinker.net/click/... with referer: listsaudiocname.com gets 302 Moved Temporarily to  www.bettermoms.com/category/parenting/?utm_source=732&utm_medium=cpc&utm_campaign=732&utm_content=26346

  c.t.c.adlinker.net/click/... with referer: marketing-nowsearch.com gets 302 Moved Temporarily to hgdiy.com/category/cooking/...utm_content=26347...

  c.t.c.adlinker.net/click/... with referer: just-get.com gets 302 Moved Temporarily to  hgdiy.com/category/cooking/...utm_content=27850...

  c4.findology.com/... with referer: finditrightway.com gets 302 Moved Temporarily to  7979-69504_159.c.adprotect.net/... ..www.findaset.com....

  xml.digitaltrafficgroup.com/... with referer: search-cool.com gets 302 Moved Temporarily to  thesmallbusinessbuilder.com

 clickered.com/... with referer: papfind.net gets an HTML + Javascript response with a JS browser redirect to boroughfind.com/... This happened multiple times.

336.78 The third-level 302 redirects start loading.

  hgdiy.com/category/cooking/?utm_source=732&utm_medium=cpc&utm_content=27850&utm_campaign=732 with the just-get.com referrer produces a website for the . It kind-of looks suspicious to me. Another hgdiy.com page-load happens for utm_content=26347 for the marketing-nowsearch.com referrer.

  www.bettermoms.com/category/parenting/?utm_source=732&utm_medium=cpc&utm_campaign=732&utm_content=26346 with referer: listsaudiocname.com responds with a website. It is filled with BS copy-pasta articles and advertisements.

337.154  7979-69504_159.c.adprotect.net/... with referrer: finditrightway.com gets html and javascript response that makes it request something from adprotect.net that THEN gives a 302 Moved Temporarily to www.findaset.com/click.php...

337.75 The finditrightway.com thread with findaset.com goes back and forth a couple times then gets 302 Moved Temporarily to Location: search.answers.com/click.php?...

338.095 bettermoms.com thread starts traffic to ad network companies for listaudiocname.com referrer:

adserve.postrelease.com,     ad1.adtitan.net, ib.adnxs.com,     q1mediahydraplatform.com
cdn1.skinected.com, objects.tremormedia.com, partner.googleadservices.com
pagead2.googlesyndication.com, img1.cdn.adjuggler.com, hollywire.rotator.hadj1.adjuggler.net, bid.pubmatic.com
yorick.adjuggler.net, ads.pubmatic.com, rtax.criteo.com, cdn.fastclick.net, media.fastclick.net, dotomi.com
... beacons, tracking pixels, syncs, matches, and clicks.

Picture of wireshark caputure of ad traffic for bettermoms.com, possibly botnet fraud.

338.359 search.answers.com/click.php?...  part of the finditrightway.com thread.

338.406 a whole mess of clicksor.com / unlimiclick.com junk. part of the findthegoodway.com thread.

338.662 search.answers.com/go.php?to=qnc3.. from the finditrightway.com thread gets 302 Moved Temporarily to Location: http://www.SmartAsk.com/video/989.html?query=null&sour... which gets 302'ed again to www.smartask.com/video/989.html. smartask.com starts loading stuff from all over.

340.03 thesmallbusinessbuilder.com starts with referrer: search-cool.com. It is filled with BS copy-pasta articles and advertisements.

340.056 the hgdiy.com thread starts traffic to ad network companies. It was hard to tell which referrer but utm_content=26347 was the marketing-nowsearch.com referrer. Ad company contacts, like a LumaScape salad:

a.postrelease.com,    edge.quantserve.com,    flx365.lporirxe.com, lax1.ib.adnxs.com (MANY), 
outbrain.com (MANY), ad.afy11.net (MANY), b.scorecardresearch.com (MANY), r.nexac.com
db.outbrain.com (MANY), gumgum.com, x.bidswitch.net (MANY), ip.casalemedia.com (several),
sync.mathtag.com, dtm.potterybarnkids.com, ads.rubiconproject.com, pubmatic.com
ca.d.chango.com, node-p1e-h1me3o.sitescout.com, showads.pubmatic.com, bh.contextweb.com
sync.gumgum.us-east.zenoviaexchange.com, bidder-us-east-3.tlvmedia.com
... beacons, tracking pixels, syncs, matches, and clicks.

Picture of wireshark caputure of ad traffic for hgdiy.com, possibly botnet fraud.

340.29 the hgdiy.com thread starts traffic to ad network companies. Since utm_content=27850, I could link that to the just-get.com referrer.

a.postrelease.com,    edge.quantserve.com,    flx365.lporirxe.com, lax1.ib.adnxs.com (MANY), 
outbrain.com (MANY), ad.afy11.net (MANY), b.scorecardresearch.com (MANY), r.nexac.com
db.outbrain.com (MANY), gumgum.com, x.bidswitch.net (MANY), ip.casalemedia.com (several),
sync.mathtag.com, dtm.potterybarnkids.com, ads.rubiconproject.com, pubmatic.com
ca.d.chango.com, node-p1e-h1me3o.sitescout.com, showads.pubmatic.com, bh.contextweb.com
sync.gumgum.us-east.zenoviaexchange.com, bidder-us-east-3.tlvmedia.com
... beacons, tracking pixels, syncs, matches, and clicks.

340.057 that crappy unlimiclick.com site with referrer: findthegoodway.com is going crazy

ads.clicksor.cn/newServing/banner_frame.php?....

340.672 smartask.com/video/989.html from the finditrightway.com referrer thread starts traffic with ad network companies.

pixel.quantserve.com
like 92k worth of round trips of quantserve with various referrers.

340.707 the thesmallbusinessbuilder.com thread starts traffic to ad network companies. This started with the search-cool.com referrer.

cm.g.doubleclick.net (many),     googleads.g.doubleclick.net (many),    landsraad.cc
reviewmaster.org, pagead2.googlesyndication.com, ad-ace.doubleclick.net,
bid.g.doubleclick.net, 2mdn.net

Picture of wireshark caputure of ad traffic for thesmallbusinessbuilder.com, possibly botnet fraud.

 342.86 boroughfind.com/...with referrer: clickered.com/... which started with papfind.com gets javascript redirected to boroughfind.com/search which looks like a bullshit site full of ads.

Picture of the flow of redirects to the adfraud and clickfraud websites, iteration 1.

Once the bot is at the junk site filled with ads, a lot of ad traffic happens.

So is this "click fraud"?

It is VERY hard to get Internet advertising companies to look at my data and say "yes, that is what a click looks like". Believe me, I've tried. At a minimum, there are page-loads going on in which impressions are recorded. One advertising company gave me the neat term "impression laundering", which is happening here at a minimum. However, yes, there are clicks going on, though I don't we can tell how many are valid or accepted.

Around 812 seconds into the asprox trojan run, THE WHOLE PROCESS STARTED OVER!

Fake search sites:

howcaniask.com
local-find.us
local-find.com
zetaaskquestion.net
search-name.net
property-search.us
papasearc.com

howcaniask.com -> regir-clk.com -> 216.172.63.115 -> findology.com -> adprotect.net -> welcome.luxurylink.com ... something with www.shopitaway.com back to adprotect... it gets kinda crazy there.

local-find.us  -> regir-clk.com -> 74.50.103.89 -> c.t.c.adlinker.net -> sportsfascination.com (utm_content=26347)

local-find.com -> regir-clk.com -> diprotector.com -> www.unlimiclick.com/andi2

zetaaskquestion.net -> regir-clk.com -> 74.50.103.15 -> c.t.c.adlinker.net -> sportsfascination.com (utm_content=27850)

search-name.net -> regir-clk.com -> n.clickga.com -> clickered.com -> reinvestfind.com

property-search.us -> regir-clk.com -> n.clickga.com -> mediastinct.com -> admarket.me -> reality-prophet.com -> www.mytopvideos.com

papasearc.com -> regir-clk.com -> 74.50.103.14  -> c.t.c.adlinker.net -> globaltravelbuzz.com

 The process was starting again at around 860 seconds but I was shutting down the machine. I did get these fake search sites though:

search-a-goodway.com
cantfindthething.com
instantly-search.net
search-name.net
cantfindthething.com

... and they were all being run through regir-clk.com when the machine stopped.

The contacts:

These were the IP addresses at the time, not as they are now. Many hosts have moved or been shut down already.

These are just some of the fraud sites and botnet hosts:

103.14.200.33 - The initial phone-home / check-in, to port 8080. An Australian hosting provider "Hire a Tech Guy" / "Nerdster". This is probably a compromised web server, just like the gunnebojohnson.com host from the Asprox spammer 1 article.

net-forwarding.com - The second location the infected bot tried gave a 404 Not Found. It resolved to: 193.105.210.113 when run, and when article was written.

Domain registration info - net-forwarding.com:
Admin / Tech : Nikolay Yu Petrov vasya @mail.ru
prospekt lenina 34-109, Norilsk,Krasnoyarksya,RU 109809

IP info:
193.105.210.113 Ukraine
netname: ISPHOST
person: Budko Dmutro

pap-tech.com - The trojan downloaded 2 files from here before the ad fraud started. And like an IDIOT I reported this domain before I got much data. Now it doesn't resolve. ): But in any case, at the time it was at 109.163.239.246.

Domain registration info - pap-tech.com:
Admin / Tech : Nikolay Yu Petrov vasya @mail.ru
prospekt lenina 34-109, Norilsk,Krasnoyarksya,RU 109809

IP info:
109.163.239.246 Russia
netname: Voxility / Saulhost Hosting

kar-gen-pl1.net - The trojan had about 10 http round-trips of encrypted data with this. However, there seems to be a dns round-robin. The first time it resolved to 176.73.253.215 and the other 9 times it was at 37.122.25.15. lar-gen-pl1.net had the following identical A records for round-robining, shows with Geo-IP and network owners:

109.120.15.198		Russia		omkc.ru
85.234.169.217 Latvia baltcom.lv
89.252.9.160 Ukraine freenet.com.ua
79.111.92.215 Russia ti.ru
91.105.48.209 Latvia lattelecom.lv
188.254.235.254 Bulgaria bulsat.com
93.171.79.119 Ukraine alfatelecom.cz
176.194.202.124 Russia ti.ru
178.160.160.217 Armenia beeline.am
75.139.236.8 USA charter.net (No shit)

   At the time of running, kar-gen-pl1.net listed the following NS records:

ns1.ligag.ru
ns2.ligag.ru
ns3.ligag.ru
ns4.ligag.ru

I'm sure this info is of no use:

Domain name: kar-gen-pl1.net
Administrative Contact:
Name: Douglas L. Guerrier
Organization: N/A
Address: 4053 Cooks Mine Road
City: Santa Fe
Province/state: NM
Country: US
Postal Code: 87501
Phone: +1.5056992982
Fax: +1.5056992982
Email: DunphySydnied @gmx.com

just-get.com - the fake search website. All the fake search sites looked the same.

Picture of apsrox botnet click fraud start point, fake search page calles just-get.com.

 just-get.com resolved to 109.163.239.246.

Domain info: just-get.com
Registrar: PDR Ltd. d/b/a PublicDomainRegistry.com
Registrant Email: contact @privacyprotect.org

IP info:
109.163.239.246 Russia
netname: Voxility / Saulhost Hosting

Uh oh! That fake search site is on the SAME IP as the pap-tech.com, where the infected computer downloaded two files from before the fake websites started!

search-cool.com - Fake search website.

Picture of apsrox botnet click fraud start point, fake search page called search-cool.com.

 search-cool.com resolved to 109.163.239.246. Same as pap-tech.com!

Domain info: search-cool.com
Administrator:
name:(Alexey A Sidorov)
mail:(security2guard @gmail.com) +7.4958009823
Alexey A Sidorov

IP info:
109.163.239.246 Russia
netname: Voxility / Saulhost Hosting

listsaudiocname.com - fake search website.

Picture of apsrox botnet click fraud start point, fake search page called listaudiocname.com.

 listaudiocname.com resolved to 109.163.239.246. Same as pap-tech.com!

Domain info: just-get.com
Registrar: PDR Ltd. d/b/a PublicDomainRegistry.com
Registrant Email: contact @privacyprotect.org

IP info:
109.163.239.246 Russia
netname: Voxility / Saulhost Hosting

 

findthegoodway.com - 109.163.239.246 like pap-tech.com

Domain info: just-get.com
Registrar: PDR Ltd. d/b/a PublicDomainRegistry.com
Registrant Email: contact @privacyprotect.org

IP info:
109.163.239.246 Russia
netname: Voxility / Saulhost Hosting

papfind.net - 109.163.239.246 like pap-tech.com

Administrator:
name:(Alexey A Sidorov)
mail:(security2guard @gmail.com) +7.4958009823
Alexey A Sidorov

IP info:
109.163.239.246 Russia
netname: Voxility / Saulhost Hosting

finditrightway.com - 109.163.239.246 like pap-tech.com

Registrar: PDR Ltd. d/b/a PublicDomainRegistry.com
Registrant Email: contact @privacyprotect.org

IP info:
109.163.239.246 Russia
netname: Voxility / Saulhost Hosting

marketing-nowsearch.com - 109.163.239.246 like pap-tech.com

Administrator:
name:(Alexey A Sidorov)
mail:(security2guard @gmail.com) +7.4958009823
Alexey A Sidorov

IP info:
109.163.239.246 Russia
netname: Voxility / Saulhost Hosting

 

 

www.bettermoms.com - A site that served ads for the bot. It was at 72.21.91.19.

Picture of bettermoms.com that served ads for the asprox bot.

 ... You can google every article on that site and find it copy-pasta all over the low-grade internets. Lots of ads though.

Domain info:
Registrar: GoDaddy.com, LLC
Registrant Organization: Domain Discreet Privacy Service

IP info:
OrgName: EdgeCast Networks, Inc.

hgdiy.com - A site that served ads for the bot, for two referrers: just-get.com and marketing-nowsearch.com. The site was at wa.

To be honest, I am on the fence about this site. The articles don't Google all over the place. This MAY be a legit site getting targeted (like I will probably be), or a site that made a bad deal to "increase traffic" with the wrong SEO dudes. In ANY CASE, this site served ads to the Asprox bot, and the bot clicked them. Heck, it could even be a straight-up click-fraud site but with real content, which is nice.... I guess?

Domain info:
Registrar: GoDaddy.com, LLC
Admin Name: Jimmy Hutcheson
Admin Organization: Hutch Media, LLC

IP info:
OrgName: SoftLayer Technologies Inc.

thesmallbusinessbuilder.com - A site that served ads for the bot. The site was at 74.208.123.87.

Picture of thesmallbusinessbuilder.com that served ads for the asprox bot.

  Again, nothing but copy-pasta articles found all over the internet.

Domain Info:
Registrar: 1&1 Internet AG
Admin Name: Oneandone Private Registration

IP Info:
OrgName: 1&1 Internet Inc.

sportsfascination.com - Kind of like hgdiy.com because the articles don't Google all over the place. But it does look a little cookie-cutter. It was at 192.155.199.88. Which was right next to hgdiy.com.Picture of sportsfascination.com that served ads for the asprox bot.

Domain info:
Registrar: GoDaddy.com, LLC
Admin Name: Jimmy Hutcheson
Admin Organization: Hutch Media, LLC

IP info:
OrgName: SoftLayer Technologies Inc.

globaltravelbuzz.com - copy-pasta articles and advertisements. It was at 72.21.91.19.

Picture of globaltravelbuzz.com that served ads for the asprox bot.

Domain info:
Registrar: GoDaddy.com, LLC
Registrant Organization: Domains By Proxy, LLC

IP info:
OrgName: EdgeCast Networks, Inc.

How can I do this?

Get yourself a Windows computer, a late-model Kuluoz / Dofoil trojan, an ethernet switch with a mirror port / monitor port setup, and tcpdump / wireshark / whatever the traffic with a second computer. Then waste a weekend.

If you see lots of http traffic, you *probably* have a clickbot.

In the above examples, it started with five to seven fake "search" websites.

Then, the fake site will be in the referrer for a few hops. You just follow it. Using wireshark display filters:

http.host contains fakesite.com

...gives me the page load of the fakesite.com. Not that usefull... since you already know fakesite.com by now.

http.referrer contains fakesite.com and not http.host contains fakesite.com 

... gives me a list of packets where the referrer was fakesite.com but the site isn't. Pick the first packet in the list. Follow stream. If the TCP stream in that list gave me 302 to host: regir-clk.com then:

http.referrer contains fakesite.com and http.host contains regir-clk.com

... gives me the response regir-clk.com gave for that referrer. Perhaps it gave back a 302 to adlinker.net, keeping fakesite.com as the referrer.

http.referrer contains fakesite.com and http.host contains adlinker.net

On down the chain you go. Like a depth-first search. Following TCP Stream each time.

Or just go one stream at a time.

Warning: once the "thread" hits the LumaScape salad (you will know it when you start seeing it), you've probably one far enough.

Does this mean these websites are dirty?

No, not at all. All the data shows is that the infected computer visited these sites in this order. And some of the extra round-trips in the LumaScape salad are clicks.

The bots could be there on behalf of some shady SEO company who promised the website owners some magic. The bots could be there to create random traffic to disguise the real traffic. This is beyond the scope of this post.

So hgdiy.com et al could be fine. Ad companies will have to look at their data and figure that all out. However, data like this could provide ad companies with a list of suspicious sites to take a harder look at.

regir-clk.com and all those Russian fake search websites? Yeah... those are dirty as shit.

But how does Asprox make money?

Heck if I know.

Either the botnet owners are really running the entire ad fraud system, or they are paid to "do work" by others. Maybe something else entirely.

Only if someone follows the money (Ad companies, Law Enforcement) will we ever know.

A word about the ad companies

It is important to note that there are many legitimate companies in this chain. The stuff between regir-clk.com and the final site with the advertisements, I still have to figure out who those guys are and what they have to say.

The stuff after the final site with the ads, the DoubleClick stuff, and all the LumaScape stuff... Those are real companies. And in the FEW times I've actually gotten a hold of a real person at those companies they have been very receptive and even very helpful.

Maybe one day, if their bosses / lawyers / marketers approve, I will be able to thank some of these people here because without their help deciphering the ad traffic I would have been quite lost.

Even if your bosses say no, thank you to all the ad company people who clued me in!

Summary

All I did was run a trojan horse, capture the data, and document my findings here.

I will gladly give a copy of my PCAP data to ad companies, hosting providers, domain registrars, or security researchers known to me or someone I know.

As far as I know, there are only 2 ways to rid the world of malware, botnets, and spam:

One is by physical force; ie. law enforcement, arrests, prosecutions, and jails. Ad fraud is one of the FEW places where real companies hand real money to criminals. Perhaps if SOMEONE followed the money a little, they might be able to unmask the criminals.

The other is to change the economics; Look at this ONE example I have posted. How many IP addresses and domains are involved? How much talent, code, and ingenuity goes into this? CLEARLY there must be money being made here.

By running trojans and gathering data, ferreting out the frauds and refusing to pay them for their bad clicks and impressions, we may be able to help change the economics to make malware less attractive.