A click-fraud botnet dubbed “Redirector.Paco Trojan” has infected 900,000 IPs worldwide and has the ability to reconfigure browser settings and network communications.
The malware’s objective is help cybercriminals earn money from AdSense by redirecting traffic running through popular search engines – such as Google, Yahoo or Bing – and replace the results with others obtained from a Google custom search, according to a May 16 Bitdefender blog post.
The malware is spread via installers that are distributed through unscrupulous download sites and by exploiting web application vulnerabilities, Checkmarx Director of Product Marketing Amit Ashbel told SCMagazine.com via emailed comments.
To redirect traffic, the malware “modifies the ‘AutoConfigURL’ and ‘AutoConfigProxy’ values from the ‘Internet Settings’ registry key so that for every request a user makes, a PAC (Proxy auto-config) file will be queried,” the post said. The malware then tells the browser to redirect traffic to a different address.
Ashbel said the botnet has gone to great lengths to reconfigure browser settings and network communication configurations and the malware’s ability to tamper with AdSense should worry Google.
“While the attack has targeted the PC communication channel, at the same time it has launched a man in the middle (MitM) attack technique tampering with Google’s results which I guess will have some level of impact (even if minor) on the search engine giant’s service,” Ashbel said.
The malware’s capabilities lead Ashbel to believe the botnet’s author has plans to use the malware for other types of attacks in the future.
“Performing the configuration changes including registry modifications and PAC file configurations indicate that the botnet could technically perform much more than just clickfraud,” which could include downloading more payloads which could cause greater damage, he said.
Ashbel noted that the botnet displays a shift in revenue streams for the threat actors.
“Most interesting is the fact that the hackers are basing their revenue on Adsense clicks rather than on data theft or key logging functionality to later on capitalize on the data and credentials stolen,” Ashbel said.
To prevent infection, Ashbel said users shouldn’t download applications from shady sources, ensure the certificates details of their search engines are valid, and use a limited Windows account if possible in order to limit administrative privileges that the botnet could potentially exploit.
CEO of Cymmetria Gadi Evron told SCMagazine.com via emailed comments that botnets are essentially the infrastructure for cybercrime.
“Ad fraud and click fraud botnets have been a rising issue for quite some time, costing advertising customers (the main victim) millions,” he said. “That said, botnets, including botnets of this size, are common.”