With the widespread adoption of Internet advertising, fraud has become a systemic problem. While the existence of
—malware specialized for conducting
—has been known for a number of years, the actual functioning of these programs has seen little study. We examine the operation and underlying economic models of two families of modern clickbots, “Fiesta” and “7cy.” By operating the malware specimens in a controlled environment we reverse-engineered the protocols used to direct the clickbots in their activities. We then devised a
program that mimics clickbots requesting instructions, enabling us to extract over 360,000 click-fraud directives from the clickbots’ control servers. We report on the functioning of the clickbots, the steps they employ to evade detection, variations in how their masters operate them depending on their geographic locality, and the differing economic models underlying their activity.