The raw details provided by Spider.io suggest that 202 websites are particularly targeted by the known Windows bots that – unusually – display rather than text advertisements are targeted; and that at least 9 billion ad impressions are served to the botnet each month.
The sheer efficiency of this actually rather small botnet is put into context by Sophos’ Graham Cluley in the NakedSecurity blog. He compares it to the ZeroAccess botnet monitored by Sophos, which had 1 million bots – similarly primarily located in the US – but “we estimated at the time it was making almost $3 million per month.” If all of the figures are correct, that means that a botnet 8 times larger than Chameleon was only doing half the click fraud damage.
But the question for users is simple: are Sophos and other anti-virus companies protecting their customers from Chameleon? It’s difficult to say, says Cluley, “because Spider.io hasn't shared much in the way of information. The name isn't used by other anti-virus products, and no checksums or VirusTotal links are offered in the blog post.” There is more than a gentle admonishment in this comment – anti-virus companies regularly share details of malware for the greater public good; but this hasn’t yet happened with Chameleon.
Cluley goes on to wonder if Chameleon and ZeroAccess are actually related. “We'd need more information from Spider.io to be definite about that,” he adds, “but there certainly seem to be similarities.”
ESET senior research fellow David Harley agrees on both counts. “I'd agree that there's a whiff of ZeroAccess in Spider.io's description,” he told Infosecurity, “but crossover in functionality between bots that may or may not be related code-wise isn't unusual.” He also added, “There’s usually a lot of sharing of information about major botnets between security researchers (and other parties such as law enforcement) but that doesn't seem to have happened in this case. So far, at any rate.”
Until such time as the anti-virus industry is categorically able to tell its customers that they are protected, users will need look out for any tell-tale signs of infection. Luckily, this may not be too difficult. “Chameleon is a sophisticated botnet,” explains Spider.oi. Individual bots run Flash and execute JavaScript. Bots generate click traces indicative of normal users. Bots also generate client-side events indicative of normal user engagement. They click on ad impressions with an average click-through rate of 0.02%; and they surprisingly generate mouse traces across 11% of ad impressions.” But because of all this activity, “The bots subject host machines to heavy load, and the bots appear to crash and restart regularly.”
This, notes Cluley, is “something which might alert users to there being a problem with their PC.”