Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

Clickfraud Malware Hijacked Searches on 900,000 Devices

A clickfraud botnet that has ensnared a large number of devices around the world hijacks search results to help cybercriminals make a profit through Google’s AdSense program.

A clickfraud botnet that has ensnared a large number of devices around the world hijacks search results to help cybercriminals make a profit through Google’s AdSense program.

According to Bitdefender, the malware powering the botnet, dubbed Redirector.Paco, has been around since September 2014 and until now it has infected more than 900,000 devices. A majority of the victims are located in India, but infections have also been spotted in the United States, Malaysia, Greece, Italy, Brazil and several African countries.

Once it infects a device, the Trojan makes some modifications to the system so that results from popular search engines such as Google, Yahoo and Bing are replaced with the results of a custom Google search, ensuring that the attackers make a profit from the ads that are displayed.

While the cybercrooks have tried to make everything look as legitimate as possible, there are some signs that could make users suspicious, including longer page loading times, proxy-related messages in the browser status bar, and the missing “o” characters above the number of search result pages.

Cybercriminals deliver the malware to users by bundling it with installers for popular applications, such as WinRAR and YouTube Downloader. The attackers add their malicious files to the genuine installer using the Advanced Installer tool.

In one version of the attack analyzed by Bitdefender, the malicious installers dropped JavaScript files designed to modify values in the “Internet Settings” registry key to ensure that the victim’s web browser downloaded and used a proxy auto-configuration (PAC) file created by the attacker.

The PAC file ensures that any request made to Google search is redirected through an external server controlled by the attacker.

Normally this would result in the browser displaying a security alert due to the fact that the HTTPS connection is broken. However, cybercriminals overcame this challenge by installing a root certificate provided by a free web debugging proxy called Fiddler (DO_NOT_TRUST_FiddlerRoot). The certificate, which is often abused by malware and adware, ensures that Redirector.Paco victims see an HTTPS connection and they’re not warned by their browser.

The JavaScript files used by the malware have been disguised as TXT, PDF and INI files, and in some cases they were broken up into pieces that were placed in random locations in a configuration file.

A different variant of the Redirector.Paco attack relies on a .NET component that modifies search results locally without using an external server. In these attacks, the malware sets up a local server and launches a man-in-the-middle attack. The PAC file is retrieved from an HTTP server on the local system and Fiddler certificates are again used to avoid HTTPS warnings.

Related Reading: Authorities Disrupt Mumblehard Linux Botnet

Related Reading: New Remaiten Malware Builds Botnet of Linux-Based Routers

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Malware & Threats

Norway‎-based DNV said a ransomware attack on its ship management software impacted 1,000 vessels.

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Malware & Threats

Fortinet warned of three malicious PyPI packages containing code that fetches the Wacatac trojan and information stealer.


The recent ransomware attack targeting Rackspace was conducted by a cybercrime group named Play using a new exploitation method, the cloud company revealed this...

Malware & Threats

Cybercrime in 2017 was a tumultuous year "full of twists and turns", with new (but old) infection methods, a major return to social engineering,...

Malware & Threats

A GitHub Codespaces feature meant to help with code development and collaboration can be abused for malware delivery.

Malware & Threats

Avast and Bitdefender have released decryptors to help victims of BianLian and MegaCortex ransomware recover their data for free.