A group of cyber criminals has infected as much as 1 Million computers around the world over the past two years with a piece of malware that hijacks search results pages using a local proxy.

Security researchers from Romania-based security firm Bitdefender revealed the presence of this massive click-fraud botnet, which the researchers named Million-Machine Campaign.

For those unaware, Botnets are networks of computers infected with malware designed to take control of the infected system without the owner's knowledge, potentially being used for launching distributed denial-of-service (DDoS) attacks against websites.

The malware in question is known as Redirector.Paco that alone has infected over 900,000 machines around the world since its release in 2014.

The Redirector.Paco Trojan infects users when they download and install tainted versions of popular software programs, such as WinRAR, YouTube Downloader, KMSPico, Connectify, or Stardock Start8.

Once infected, Paco modifies the computer's local registry keys and adds two new entries disguised as "Adobe Flash Update" and "Adobe Flash Scheduler," to make sure the malware starts after every computer boot-up process.

Besides this, the malware drops JavaScript files that downloads and implements a PAC (Proxy Auto Configuration) file that hijacks all Web traffic, ensuring traffic routes through an attacker-controlled server.

Search Engine Display Fake Results even Over HTTPS

Paco then sniffs all Web traffic originating from the infected computer and looks for queries made over popular search engines like Google, Bing, or Yahoo! and replace the actual results with fake Web pages, mimicking their real User Interface.

The botnet has the ability to redirect search engine results even when the results are served over encrypted HTTPS connections. To do so, the malware uses a free root certificate ‒ DO_NOT_TRUST_FiddlerRoot ‒ that avoid your browser showing HTTPS errors.
"The goal is to help cyber-criminals earn money from the AdSense program," Bitdefender's Alexandra Gheorghe said in a blog post. "Google's AdSense for Search program places contextually relevant ads on Custom Search Engine's search results pages and shares a portion of its advertising revenue with AdSense partners."
Although the malware tries to make the search results look authentic, some markers can raise suspicions, like messages showing "Waiting for proxy tunnel" or "Downloading proxy script" in the status bar of your web browser.

Additionally, the search engine takes longer than usual to load results, and the typical yellow 'O' characters in Google above the page numbers are not displayed, according to researchers.

The security firm says that majority of victims are from India, Malaysia, Greece, the United States, Italy, Pakistan, Brazil, and Algeria.

However, to avoid these kinds of cyber threats, following standard security measures could save your ass, such as keep your system and antivirus up-to-date, and always keep an eye on warning that says something is not right with your computer.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.