Botnet Leverages Search Results

Friday, May 20, 2016 @ 03:05 PM gHale


There is a click-fraud botnet that steals search results pages using a local proxy.

As with every other botnet, it all begins with the infection point, said researchers at Bitdefender, who named the botnet the Million Machine.

RELATED STORIES
Botnet Shut Down
Researchers Dig into Botnet
Bot Targets Routers, Embedded IoT Devices
Honeypots Discover Multiple Botnets

For Million-Machine, this happens when users download and install tainted versions of popular software programs, such as WinRAR, YouTube Downloader, Connectify, KMSPico, or Stardock Start8.

The malware responsible for this botnet’s rise is Redirector.Paco. Once it reaches and infects a computer, Paco will modify the computer’s local registry keys, adding two entries disguised as “Adobe Flash Scheduler” and “Adobe Flash Update,” which will make sure the malware starts after every PC boot-up.

Additionally, the malware also modifies Internet Explorer proxy settings, adding a PAC (Proxy Auto Configuration) script that hijacks all Web traffic through a local proxy server on port 9090.

This redirection allows the malware to sniff all Web traffic originating from the PC. Paco will look for queries made to popular search engines like Google, Bing or Yahoo, and show fake Web pages in their place, mimicking their real UI.

A local certificate allows the malware to avoid showing HTTPS errors in the user’s browser, but if the user has the presence of mind to press the lock icon in their address bar, they’ll see the true source of their certificate being different from what it is supposed to be.

After the user enters their search queries, the malware will return fake search results that replace many of the real links with others obtained from a Google custom search.

“The goal is to help cyber-criminals earn money from the AdSense program,” said Bitdefender’s Alexandra Gheorghe in a blog post. “Google’s AdSense for Search program places contextually relevant ads on Custom Search Engine’s search results pages and shares a portion of its advertising revenue with AdSense partners.”

For Google, users can tell these fake search results pages by the lack of a Google logo at the bottom of the page. Additionally, pages also take quite a long time to load, and users may also see messages such as “Waiting for proxy tunnel” or “Downloading proxy script” in the browser’s status bar.

All Paco malware infections end up coordinated from a central command server, and Bitdefender said the botnet consists of over 900,000 victims worldwide since its appearance in mid-September 2014.

Most targets, according to the security firm, are in India, followed by Malaysia, Greece USA, Italy, Pakistan, Brazil, and Algeria.