The Bahama botnet is a Robin Hood of sorts.

History has a way of turning common thieves into romantic heroes. A band of woodland poachers in the Middle Ages becomes Robin Hood and His Merry Men. A crew of border state marauders becomes re-distributors of wealth on horseback led by Jesse James. A Depression Era pair of bank robbers becomes two lovebirds salting the salt of the earth with purloined cash as Bonnie and Clyde. And now we have the Bahama botnet.

While the Bahama botnet may not have the joie de vivre of a Robin of Locksley or the grit of the James boys or the youthful rebelliousness of “Romeo and Juliet in a Getaway Car”–after all it’s only a computer program–it does share a common characteristic with those outlaws. It robs from the rich to give to the poor–sort of.

“We have conducted additional research into the behavior of the Bahama botnet and found that it acts as a sort of perverted ‘Robin Hood’ among ad networks by robbing ad revenue from the top-tier players and delivering fraudulent traffic to second- and third-tier ad networks and publishers,” Matt Graham, of  Click Forensics, an Internet advertising traffic analysis firm, reported in the company’s blog last week.

One of the top-tier players gypped by the bot, Click Forensics revealed, is the Big Cahuna of clicks-into-cash, Google. Here’s how the malware does it.

When a Web surfer with an infected machine performs a Google search, the results appear genuine, but they’re not. That ’s because the malware uses a technique called DNS Poisoning to make what one sees not what one gets.

DNS Poisoning exploits the way Web addresses are parsed by a browser. All computers connected to the Internet have an IP address. The address is a string of numbers like 216.239.51.99. But since human beings have an easier time remembering words than strings of numbers, the Domain Name System was devised. The system associates a domain name, like Google.com, with an IP address and sends a browser to that address. What DNS Poisoning does is intervene in that process. It tricks the browser into going to an IP address other than the one assigned to the domain by the DNS system.

In the Bahama Bot case, it diverts Google traffic to a server in Canada. It uses the text of the Google results, but it alters the underlying links. So when users click on an apparent “organic” link, they’re actually clicking on a pay-per-click link. Advertisers should be paying Google for that click, but they don’t. That’s because the malware diverts the traffic away from Google’s click-counting technology. Moreover, the infected Webster is none the wiser. Although the click is registered at the advertiser’s site, the site never appears in the traveler’s browser. Instead, after registering the click, the browser is taken to the source of the original organic result. Everything looks copacetic to the user. The advertiser gets a free click and its traffic metrics are incremented. And Google makes no revenue from the transaction.

Whom the botnet, named after its original traffic diversion pattern through some 200,000 parked domains in the Bahamas, is designed to benefit is a bit of a mystery. According to Click Forensics, some of the sites receiving free clicks are aware of the scam; other are not.

Click-fraudsters have a number of motives for their mischief. Some want competitors to waste their online advertising dollars on empty clicks, clicks without a popcycle’s chance in hell of creating a sale. Others want to collect commissions on the clicks, even though they can’t be linked to prospective customers. The commission angle is the most likely one behind the Bahama botnet, according to Click Forensics.

What makes the Bahama botnet particularly hard to identify is the lengths it goes to shield its activities. For example, it limits the number of ads a single user can click on to avoid appearing suspicious to click-fraud filters. Click too many times on a bogus search page and the software will stop diverting your clicks through the ad networks it uses.

“What makes the botnet so insidious is that it operates intermittently so that the user doesn’t really know that anything is wrong,” Click Forensics noted.

“Additionally,” it continued, “it can operate independently of the user because the authors appear to be building a large database of authentically user-generated search queries.”

“And because the queries come from many different machines (IPs) across a broad segment of the Internet population,” it added, “it is very difficult to find and identify these clicks as fraudulent.”

According to Click Forensics, in some cases, the botnet has turned as much as 30 percent of an advertiser’s pay-per-click budget into bogus traffic.