Researchers from Romanian security firm Bitdefender have revealed today the presence of a massive click-fraud botnet, which they named Million-Machine and hijacks search results pages using a local proxy.
As with every other botnet, it all begins with the infection point. For Million-Machine, this happens when users download and install tainted versions of popular software programs, such as WinRAR, YouTube Downloader, Connectify, KMSPico, or Stardock Start8.
Paco malware responsible for the rise of this botnet
The malware responsible for this botnet’s rise is called Redirector.Paco. Once it reaches and infects a computer, Paco will modify the computer’s local registry keys, adding two entries disguised as “Adobe Flash Scheduler” and “Adobe Flash Update,” which will make sure the malware starts after every PC boot-up.
Additionally, the malware also modifies Internet Explorer proxy settings, adding a PAC (Proxy Auto Configuration) script that hijacks all Web traffic through a local proxy server on port 9090.
This redirection allows the malware to sniff all Web traffic originating from the PC. Paco will look for queries made to popular search engines like Google, Bing or Yahoo, and show fake Web pages in their place, mimicking their real UI.
Malware comes with its own certificate to disguise HTTPS traffic
A local certificate allows the malware to avoid showing HTTPS errors in the user’s browser, but if the user has the presence of mind to press the lock icon in their address bar, they’ll see the true source of their certificate being different from what it is supposed to be.
After the user enters their search queries, the malware will return fake search results that replace many of the real links with others obtained from a Google custom search.
“The goal is to help cyber-criminals earn money from the AdSense program,”‘s Alexandra Gheorghe. “Google’s AdSense for Search program places contextually relevant ads on Custom Search Engine’s search results pages and shares a portion of its advertising revenue with AdSense partners.”
Botnet makes nearly one million victims
For Google, users can tell these fake search results pages by the lack of a Google logo at the bottom of the page. Additionally, pages also take quite a long time to load, and users may also see messages such as “Waiting for proxy tunnel” or “Downloading proxy script” in the browser’s status bar.
All Paco malware infections are coordinated from a central command server, and Bitdefender claims the botnet made over 900,000 victims worldwide since its appearance in mid-September 2014.
Most targets, according to the security firm, are located in India, followed by Malaysia, Greece USA, Italy, Pakistan, Brazil, and Algeria.