How Stantiko Click-Fraud Bot Butchers CPA's

The Stantinko bot-net, which is distributed across 500,000 computers is butchering marketing CPA’s. The bot-net receiving advertising click-fraud fame in 2012, has been sleeping, but now “new and improved.”
Stantinko uses a computer’s FileTour application as its initial infection vector, uninstalling programs and simultaneously installing the Stantinko bot-net in the background, residing there for years.
How It Works

  1. It installs browsers extensions injecting browsers with ads and subsequently performs click fraud with a script, clicking on those injected ads.
  2. But because the bot-net can be programmed from Europe and Russia, it can also be used to execute other operations such as searches on Google, filling out lead-gen forms, signing up for email newsletters, and brute-force attacks on WordPress/Joomla admin panels, plus other backdoor activities.
  3. It also installs two malicious Windows services, which can reinstall the other if deleted. Successful removal of Stantinko requires both services to be deleted at the same time.
  4. The bot-net differs slightly from most: it’s a modular backdoor which has a loader to execute any executable that its mother ship programs and sends to the infected computers (the Stantinko operators can basically execute any code on those 500,000 machines).
  5. It’s most recent flavor is the Facebook Bot which can: create accounts, add friends, like pages (advertiser pages), and like pictures.

Why It’s Different (+ Dangerous to Advertisers)
Traditional click-fraud malware relies on a series of redirections between several ad networks to launder malicious traffic.
Stantinko, however, has essentially hijacked 500,000 individuals’ computers (looking like a real person), and is incredibly difficult to remove.
Policing Through Attributed Measurement
“Just like crime in New York City…fraud is always going to be there,” said C3 Metrics advertising attribution measurement COO Jeff Greenfield. “but when we see things like 8,000 media touchpoints in a single lead-gen funnel [to get someone to fill in their first name, last name, and email address] we know this is fraud and remove it from receiving attribution credit. But, the advertiser still gets charged by the network, and what rears its head as another tip-off is an out-of whack attributed ROI.”
In the words of AC/DC:

Forget the hearse ’cause I never die

I got nine lives

Stantinko is back in black.