Everything You Need To Know About The 3ve Botnet

July 8th, 2021

Modern advertisers have to deal with much more than just converting prospects, as the rise of botnets and click fraud continues to affect the success of ad campaigns.

Botnets are now responsible for a large amount of these fraudulent clicks. And in recent years, the 3ve botnet was one of the most sophisticated botnet operations ever seen.

It ran from 2013 to 2018 and infected over 1.7 million PCs worldwide, causing havoc and costing advertisers millions.

But how did it become such a global dilemma? We’re here to detail its rise and fall, as well as highlighting the problems botnets create, with tips on how to protect your business.

How 3ve Was Discovered

3ve heatmap

Pronounced as eve, the botnet was in operation from 2013 to 2018, but it was only discovered in 2016 by HUMAN (formerly White Ops), the cybersecurity specialist.

The firm collaborated with Google and the FBI to bring down the fraud ring, with contributions from organizations including Adobe, McAfee, and Amazon.

3ve used malware packages Boaxxe/Miuref and Kovter to infect PCs with spam emails and infected email attachments.

It was first detected by HUMAN when the Methbot network was under investigation. Initially, 3ve appeared to be a standard bot farm with nothing unique about it.

But in 2017 its activity grew, and it was generating billions of daily ad bid requests. This was anywhere between 3 and 12 billion every day.

The malware discovered used anti-forensics, an evasion tactic where the malware performs a scan of a PC’s processes, hardware, username, and IP address. Anything that’ll make it identifiable.

Once around that issue, Google and HUMAN gradually uncovered the full scale of the 3ve operation. As Google explained in its whitepaper the Hunt for 3ve:

“One way to bring down bot operations is to blacklist all of their known IP addresses. However, because of the operation’s aggressiveness, as well as its ability to rapidly acquire new IP addresses, we realized that a blacklist would only temporarily interrupt 3ve’s activity. To take it down permanently, we needed to understand how 3ve was structured and organized, we had to ensure that the operators thought they were going unnoticed in order to observe them and apply our learnings to future security efforts, and we needed to expand our effort beyond Google and [HUMAN].”

Google began building an infrastructure of partners to bring an end to 3ve. But while doing so, the search giant had to ensure the botnet believed it was still undetected.

What followed was a mammoth undertaking involving major organizations, all working in tandem to bring down arguably the most sophisticated botnet in history.

The 3ve Operation

3ve operation

3ve operated in an interesting way, it put to use fake and low-quality websites that were participants of Google AdSense. It then sold fake premium traffic to advertisers.

It could successfully fake the domains of high-ranking and prestigious publishers, leaving advertisers none the wiser they’d been duped.

3ve’s ability to infect tens of thousands of PCs allowed it to create a mass of illegitimate clicks on ads, which is how the operation made its money.

As Google noted in The Hunt for 3vE whitepaper:

“3ve’s operators took great care in trying to prevent ad networks from noticing their illicit activity. This is why, for example, 3ve’s malware only fully executed in countries where organic Internet users are likely to be browsing the same premium sites 3ve is counterfeiting, including the US, Canada, and the UK. 3ve’s victim population is shown in the figure below.”

The more successful this proved, the more scaled up the operation became.

Its operators were also able to constantly evade detection by disguising 3ve’s bots. So, even after chunks of its traffic were blacklisted, they could rematerialize somewhere else.

3ve’s operators used various tactics to stay undetected. Including tag evasion, mimicking human behaviors before clicking ads, and quickly regenerating residential IP addresses.

At its peak, the 3ve botnet:

  • Generated over 3 billion daily bid requests
  • Compromised 1 million IPs
  • Infected over 700,000 PCs
  • Faked 10,000+ websites

How 3ve Was Taken Down

fbi takedown

Google, HUMAN, and the FBI realized the operation needed shutting down for good so it would no longer continue evolving.

In total, 15 major industry parties worked with Google, Human, and the FBI’s Internet Crime Complaint Center to bring down the operation.

The list of organizations that helped take down 3ve include:

  • Adobe
  • Trade Desk
  • Amazon
  • Oath
  • Malwarebytes
  • ESET
  • Proofpoint
  • Symantec
  • F-Secure
  • McAfee
  • Trend Micro
  • Department of Homeland Security

With a system of collaborative intelligence, the working group spent months observing 3ve in action to determine how it worked.

The combined organizations were able to deep-dive research 3ve to map its infrastructure, monetization strategies, and major components.

For example, McAfee and other anti-virus specialists worked to understand the malware 3ve was infecting PCs with.

This led to a coordinated technical takedown of the infrastructure, blocking the operators from rebuilding 3ve.

Within 18 hours, Google was reporting 3ve’s bid request traffic close to 0%.

At the end of the investigation, the US Department of Justice issued 13 indictments against 8 individuals. 6 of these fraudsters are from Russia, with the other 2 from Kazakhstan.

The Department of Justice’s November 2018 press release Eight Defendants Indicted, it revealed the names of the individuals and stated:

“Also unsealed today in federal court in Brooklyn were seizure warrants authorizing the FBI to take control of 31 internet domains, and search warrants authorizing the FBI to take information from 89 computer servers, that were all part of the infrastructure for botnets engaged in digital advertising fraud activity. The FBI, working with private sector partners, redirected the internet traffic going to the domains (an action known as “sinkholing”) in order to disrupt and dismantle these botnets.”

The charges were for the loss of tens of millions of dollars in digital advertising fraud.

The results of stopping 3ve certainly provided a wake-up call for advertising and tech industries, highlighting why it’s important to stay proactive in the battle against online fraudsters.

Protect Your Ads From the Next 3ve

protect yourself

Unfortunately, although 3ve may have been taken down, there are still plenty of other active botnets out there.

And every advertiser who runs paid search, display, or video ads is at risk of losing money from these ad fraud schemes.

In 2019, Spamhaus (a threat intelligence organization) released its Botnet Threat Report. Its findings showed a dramatic rise in domain names registered to host botnets. The increase was up 100% on 2017’s statistics.

And as our Global Click Fraud Report 2021 revealed, botnets remain the most damaging form of click fraud.

It’s very much a game of cat and mouse. New botnets are discovered all the time. For example, in March 2021, a Windows specific botnet was unearthed and found to be ballooning in size.

Called the Purple Fox malware, it uses phishing emails and exploitation kits to infect machines and quickly spreads from one PC to the next. The malware targets internet-facing Windows computers that use weak passwords.

The more ads you run on Google Display Network, the more websites you advertise on, and the more money you spend, the higher the chance is you’ll fall victim to fraud.

Botnet operators are working hard to make their bots as indistinguishable from human behavior as possible.

That makes it very tough to even spot illegitimate activities on your ad campaigns, let alone stop it from happening.

It’s important to be vigilant. And to protect your ad campaigns and business with the latest data available. That can give you a massive head start in blocking fraudsters.

Lessons Learned From 3ve

Sadly, botnets are here to stay, just as 3ve proved how sophisticated the operations are becoming in evading detection.

It took an entire workforce of thousands of people from major global players to take the network down. The combined might of Google, HUMAN, the FBI, and many others, to stop the malware spreading actions of non-human bots.

The lessons learned from 3ve have helped in the fight against fraudsters and are sure to help with future investigations.

But you can also protect your ad campaigns by taking proactive steps. We have a free 60,000+ exclusion list for apps, channels, and websites that stop your ads from showing on suspect and low-performing websites.

Add this into your Google Ads account, and you’ll immediately exclude fraudsters and improve the quality of your traffic.

That helps to protect your brand image, avoid irrelevant websites, stop illegitimate clicks, and improve your ROI.

Download the full exclusion list below.

Stop All Advertising Fraud in Seconds