Botnet Spamming Websites

Monday, September 8, 2014 @ 01:09 PM gHale


There is a new botnet taking the Internet by storm as it is quickly spreading, researchers said.

The “Semalt” botnet, named after a Ukrainian startup that poses as a legitimate online SEO service, currently numbers around 290,000 malware infected machines that continually spam millions of websites in a large-scale, referrer spam campaign, said researchers at security provider Incapsula.

RELATED STORIES
DDoS Botnet goes after Linux Systems
Botnet Variants Targeting Europe, U.S.
Botnet Stays Strong Globally
Cloud Botnets able to Mine Coin

The goal of referrer spam is to create backlinks to a specific URL by abusing publicly-available access logs.

Semalt uses script bots that ignore the robots exclusion standard (the site’s robots.txt file that gives instructions to web crawlers) and spam the server with requests.

“The process is fairly straightforward. The bots access hundreds of thousands of websites in bulk, sending out requests with a synthetically-generated ‘Referrer’ header. Each of these headers contains the website URL the perpetrators are trying to boost,” researcher Ofer Gayer said in a post.

“All such requests are automatically recorded in access logs, creating a HTML referrer link. These links are then crawled by search engines, while accessing these publicly-available HTML resources.”

This artificially improves search engine rankings of the company’s customers, which in time “can cause long-term SEO damage to websites, ranging from demotion in search engine result pages (SERP) to complete SERP blacklisting and removal,” the researchers said.

To perform all of this, the company uses a botnet generated by malware hidden in a utility called “Soundfrost,” and includes machines on over 290,000 different IP addresses around the world. Nearly 60 percent of those machines are in Brazil.

The Semalt bot bypasses common detection and filtering methods, and it can circumvent IP blacklisting and rate-limiting protection.



Leave a Reply

You must be logged in to post a comment.