Symantec originally thought that at its peak the Flashback Trojan was generating around $10,000 a day by hijacking ad clicks. Now, new research suggests the developers may only have earned $14,000 during the time that the malware was active.
In its Connect blog, Symantec explains: "We now have a much clearer idea of how many ads the attackers were displaying and how much those ads earned for the attackers."
"From our analysis we have seen that, for a three-week period starting in April, the botnet displayed over 10 million ads on compromised computers but only a small percentage of users who were shown ads actually clicked them, with close to 400,000 ads being clicked."
These 400,000 ad clicks earned the attackers "$14,000 in these three weeks," according to Symantec.
The security firm notes: "It is worth mentioning that earning the money is only one part of the puzzle - actually collecting that money is another, often more difficult, job. Many PPC providers employ anti-fraud measures and affiliate-verification processes before paying. Fortunately, the attackers in this instance appear to have been unable to complete the necessary steps to be paid."
Symantec estimates that the actual ad-clicking component of Flashback was only installed on about 10,000 of the more than 600,000 infected machines. "In other words, utilizing less than 2% of the entire botnet the attackers were able to generate $14,000 in three weeks, meaning that if the attackers were able to use the entire botnet, they could potentially have earned millions of dollars a year," the security firm claims.
Symantec goes on to explain how Click Fraud, as utilised by the Flashback Trojan, works. "Compromised computers pass users' search keywords to the attackers. The attackers then contact various pay per click (PPC) services and route the ads from the PPC providers to the compromised computer in the process earning money for those ads from the PPC providers."
"Over 98% of the ads being sent to compromised computers appear to originate from the same PPC provider," according to Symantec.
Symantec claims: "The attackers are taking advantage of both users and the PPC providers by getting paid for ads that may not have been seen by users and may not be relevant to what the user searched for."
"The OSX.Flashback bot-master hijacked Google's search results and displayed their own PPC search results to create conversions," says Symantec. "The attackers still managed to display over 10 million ads in a three week period, generating $14,000 in revenue."
The report concludes: "Although per-per-click botnets are not a new idea we have seen them on Windows for years as the market share of Mac increases, we will see more Mac-related botnets similar to this one in the future."