What is Xindi Botnet?

Xindi, the first-of-its-kind botnet, was specifically developed by fraudsters to exploit a critical vulnerability (CVE-2015-7266) in the Internet advertising protocol implementation (OpenRTB) by turning enterprise and university networks into botnets that launch attacks on advertising exchanges. Xindi botnet, unlike its predecessors, does not defraud by clickjacking, which can be easily detected. Rather, it is the first botnet that exclusively focuses on generating fake “viewable” impressions at scale.

OpenRTB Responds to Industry Security Threat


Xindi's Signature

Anatomy of the attack

What is Amnesia Bug

The Amnesia Bug is a critical vulnerability (CVE-2015-7266) in the OpenRTB v2.3 protocol implementation, which is the standard for real-time digital media buying and selling. This vulnerability allows fraudsters to conceal the true status of an Ad transaction, which in turn causes bidding engines to bid on more impressions per compromised host than originally intended.

Fraudsters achieve this by hoarding multiple Ad markups in a transient state for hours on end and replaying them in a burst. This has the potential to corrupt the bidding logic and compromise the integrity of the bids.

Pixalate has observed that as a result of fraudsters exploiting the Amnesia Bug, fraud on affected campaigns increases by up to 300 percent. The affected campaigns tend to have high viewability (in the range of 85-95 percent) and a highly desired user base. Frequency cap controls fail to work, and discrepancies between Ad exchanges and demand-side platforms (DSPs) spike.

Fix & Mitigation


Advertising vendors can mitigate this issue by ensuring a reasonable bid timeout is in place in their implementation of the OpenRTB protocol. This will ensure that impressions generated after a certain time period not be accepted as valid - hence non-billable.

Pixalate is also releasing a list of infected address list, which marketers can request at xindi@pixalate.com

Pixalate’s security team is recommending a fix in order to make the internet a safer place for everyone. However, we can’t guarantee this recommendation will work or is appropriate for your environment. You should assess your own vendors and consult experts as necessary to address your specific situation. Your use of any information in this document is at your own risk. All information is provided “AS IS” without any warranty of any kind. We expressly disclaim any liability for any loss or damages resulting directly or indirectly from your use of the information.


Pixalate is releasing the list of infected IP addresses, which have been exploiting this vulnerability, according to our data. Enterprise and Universities Network Security teams can request more data about the IP addresses belonging to their organizations.

For further details, please contact Pixalate at xindi@pixalate.com