A clickfraud botnet that has ensnared a large number of devices around the world hijacks search results to help cybercriminals make a profit through Google’s AdSense program.
According to Bitdefender, the malware powering the botnet, dubbed Redirector.Paco, has been around since September 2014 and until now it has infected more than 900,000 devices. A majority of the victims are located in India, but infections have also been spotted in the United States, Malaysia, Greece, Italy, Brazil and several African countries.
Once it infects a device, the Trojan makes some modifications to the system so that results from popular search engines such as Google, Yahoo and Bing are replaced with the results of a custom Google search, ensuring that the attackers make a profit from the ads that are displayed.
While the cybercrooks have tried to make everything look as legitimate as possible, there are some signs that could make users suspicious, including longer page loading times, proxy-related messages in the browser status bar, and the missing “o” characters above the number of search result pages.
Cybercriminals deliver the malware to users by bundling it with installers for popular applications, such as WinRAR and YouTube Downloader. The attackers add their malicious files to the genuine installer using the Advanced Installer tool.
In one version of the attack analyzed by Bitdefender, the malicious installers dropped JavaScript files designed to modify values in the “Internet Settings” registry key to ensure that the victim’s web browser downloaded and used a proxy auto-configuration (PAC) file created by the attacker.
The PAC file ensures that any request made to Google search is redirected through an external server controlled by the attacker.
Normally this would result in the browser displaying a security alert due to the fact that the HTTPS connection is broken. However, cybercriminals overcame this challenge by installing a root certificate provided by a free web debugging proxy called Fiddler (DO_NOT_TRUST_FiddlerRoot). The certificate, which is often abused by malware and adware, ensures that Redirector.Paco victims see an HTTPS connection and they’re not warned by their browser.
The JavaScript files used by the malware have been disguised as TXT, PDF and INI files, and in some cases they were broken up into pieces that were placed in random locations in a configuration file.
A different variant of the Redirector.Paco attack relies on a .NET component that modifies search results locally without using an external server. In these attacks, the malware sets up a local server and launches a man-in-the-middle attack. The PAC file is retrieved from an HTTP server on the local system and Fiddler certificates are again used to avoid HTTPS warnings.
Related Reading: Authorities Disrupt Mumblehard Linux Botnet
Related Reading: New Remaiten Malware Builds Botnet of Linux-Based Routers