Clickfraud traffic from infected hosts

Check for this on your network to find infected hosts performing clickfraud.

HTTP Method = GET
HTTP Destination contains *=/?l=eyJhYyI6* (Thats a lower case “L”)
Regex HTTP URI for \/[0-9]{8,9}\/[A-Za-z0-9]{7}=\/\?l=[A-Za-z0-9]{300,}(==?)?$

You can base64 decode the long field at the end to see some add’l info about the activity.

Seeing this in hosts that have been compromised with Neutrino lately.

Comments are closed.