Security experts have just reported that a brand new botnet which plunders Google advertising revenues, has already hit about one million computers.
The so called “redirector.paco botnet” steals advertising revenue by replacing a website’s Google AdSense for search results on infected machines with their own.
According to the Bitdefender security researchers Cristina Vatamanu, Răzvan Benchea, and Alexandru Maximciuc, the newly-found botnet has been active since September 2014 and it has infected more than 900,000 machines across India, Malaysia, Greece, and USA.
The experts claim that the malware serves as a man-in-the-middle attack using a root certificate in order to spit out certificates for Google, Yahoo, and Bing which are accepted by the victim’s browser.
“To redirect the traffic the malware performs a few simple registry tweaks [modifying] the AutoConfigURL and AutoConfigProxy values from the internet settings registry key so that for every request that a user makes, a proxy auto-config file will be queried,” the experts explained.
“This file tells the browser to redirect the traffic to a different address.”
“The malware tries to make the search results look authentic.”
The infected computers bear the message ‘waiting for proxy tunnel’ or ‘downloading proxy script’ in the browser status bar, and take a long time to load Google results.
Usually, the new malware hides in infected software packages, such as Youtube Downloader, pirate WinRAR, KMSpico Windows application cracker, and Stardock Start.
The security researchers have made a full technical analysis of the infection. They say that users can avoid infection with normal best practice security controls, as well as by avoiding downloading software from non-reliable websites.