Teamwork takes down massive ad fraud botnets

On November 27th 2018, the Department of Justice announced the indictment of 8 individuals involved in a major ad fraud case that cost digital advertisers millions of dollars. The operation, dubbed “3ve“, was the combination of the Boaxxe and Kovter botnets which the FBI, in collaboration with the private sector, was able to dismantle.

The US CERT advisory indicates that 3ve was controlling over 1.7 million unique IP addresses between both Boaxxe and Kovter at any given time. Threat actors rely on different tactics to generate fake traffic and clicks, but one of the most common ones is to infect legitimate computers and have them silently mimic a typical user’s behavior. By doing so, fraudsters can generate millions of dollars in revenues while eroding trust in the online advertising business.

This criminal enterprise was quite sophisticated in that it had many evasion techniques that made it difficult to detect the presence of ad fraud but also clean up affected systems. Kovter in particular, is a very unique piece of malware that goes to great lengths to avoid detection and even trick analysts. Its fileless nature to maintain persistence has also made it more challenging to disable.

Malwarebytes, along with several other companies, was involved in this global investigation. We worked with our colleagues at ad fraud detection company White Ops and shared intelligence and samples about the Kovter malware. We were happy to be able to leverage our telemetry and visibility which proved to be valuable for others to act upon.

Even though criminals can get pretty sophisticated, this successful operation proves that concerted efforts between both the public and private sectors can defeat them and bring perpetrators to justice.

The full technical report on 3ve co-authored by Google and White Ops, with technical contributions from Proofpoint and others, can be downloaded here.