Now on Demand: Zero Trust Strategies Summit - Access All Sessions
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Clickfraud Malware Hijacked Searches on 900,000 Devices

A clickfraud botnet that has ensnared a large number of devices around the world hijacks search results to help cybercriminals make a profit through Google’s AdSense program.

A clickfraud botnet that has ensnared a large number of devices around the world hijacks search results to help cybercriminals make a profit through Google’s AdSense program.

According to Bitdefender, the malware powering the botnet, dubbed Redirector.Paco, has been around since September 2014 and until now it has infected more than 900,000 devices. A majority of the victims are located in India, but infections have also been spotted in the United States, Malaysia, Greece, Italy, Brazil and several African countries.

Once it infects a device, the Trojan makes some modifications to the system so that results from popular search engines such as Google, Yahoo and Bing are replaced with the results of a custom Google search, ensuring that the attackers make a profit from the ads that are displayed.

While the cybercrooks have tried to make everything look as legitimate as possible, there are some signs that could make users suspicious, including longer page loading times, proxy-related messages in the browser status bar, and the missing “o” characters above the number of search result pages.

Cybercriminals deliver the malware to users by bundling it with installers for popular applications, such as WinRAR and YouTube Downloader. The attackers add their malicious files to the genuine installer using the Advanced Installer tool.

In one version of the attack analyzed by Bitdefender, the malicious installers dropped JavaScript files designed to modify values in the “Internet Settings” registry key to ensure that the victim’s web browser downloaded and used a proxy auto-configuration (PAC) file created by the attacker.

The PAC file ensures that any request made to Google search is redirected through an external server controlled by the attacker.

Normally this would result in the browser displaying a security alert due to the fact that the HTTPS connection is broken. However, cybercriminals overcame this challenge by installing a root certificate provided by a free web debugging proxy called Fiddler (DO_NOT_TRUST_FiddlerRoot). The certificate, which is often abused by malware and adware, ensures that Redirector.Paco victims see an HTTPS connection and they’re not warned by their browser.

Advertisement. Scroll to continue reading.

The JavaScript files used by the malware have been disguised as TXT, PDF and INI files, and in some cases they were broken up into pieces that were placed in random locations in a configuration file.

A different variant of the Redirector.Paco attack relies on a .NET component that modifies search results locally without using an external server. In these attacks, the malware sets up a local server and launches a man-in-the-middle attack. The PAC file is retrieved from an HTTP server on the local system and Fiddler certificates are again used to avoid HTTPS warnings.

Related Reading: Authorities Disrupt Mumblehard Linux Botnet

Related Reading: New Remaiten Malware Builds Botnet of Linux-Based Routers

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join SecurityWeek and Hitachi Vantara for this this webinar to gain valuable insights and actionable steps to enhance your organization's data security and resilience.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Former Darktrace CEO Poppy Gustafsson has joined the UK government as Minister for Investment.

Nupur Goyal has joined cloud identity security and management solutions provider Saviynt as VP of Product Marketing.

Threat intelligence firm Intel 471 has appointed Mark Huebeler as its COO and CFO.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.