Pierluigi Paganini May 17, 2016

According to the experts at Bitdefender an HTTPS hijacking click-fraud botnet dubbed Redirector.Paco infected almost 1 million devices since now.

Security experts at Bitdefender spotted a new click fraud botnet dubbed Redirector.Paco that has been around at least since September 2014 and has already infected more than 900,000 devices over the years.

Crooks behind the Redirector.Paco aimed to create a clickbot that is able to redirect all traffic performed when using a search engine (i.e. Google, Yahoo or Bing) and to replace the legitimate results with others decided by hackers to earn money from the AdSense program.

“To redirect the traffic the malware performs a few simple registry tweaks. It modifies the “AutoConfigURL” and “AutoConfigProxy” values from the “Internet Settings” registry key so that for every request that a user makes, a PAC (Proxy auto-config) file will be queried. This file tells the browser to redirect the traffic to a different address.” states a blog post from BitDefender.

The experts highlighted the existence of some indicators that could be associated with the fraudulent activity of the botnet, including:

• Displaying messages like “Waiting for proxy tunnel” or “Downloading proxy script” in the status bar of the browser.
• Long page loading time for Google page.
• Missing “o” characters above the number of search result pages.

The threat actors behind the Redirector.Paco botnet used to deliver the malware by bundling it with installers for benign applications, such as WinRAR and YouTube Downloader.

In one of the attacks spotted by the experts at Bitdefender, the installers dropped JavaScript files that modify the “Internet Settings” registry key in order to change the behavior of the web browser and force it into using a proxy auto-configuration (PAC) file created by the attacker to provide fake search results. The attackers also rely on a root certificate so that any connection that goes through the server specified in the PAC file looks private without raising suspicion.

“As shown, any request to any page that starts with https://www.google or https://cse.google will be redirected to the IP 93.*.*.240 on port 8484. However, at this point, since the requests are made on the HTTPS protocol, they will be accompanied by a warning that alerts the user that there is a problem with the certificate.” continues the post. “Update.txt downloads and installs a root certificate so that any connection that goes through the server specified in the PAC file looks private.”

The experts also spotted a variant of the Redirector.Paco botnet that relies on a .NET component that modifies search results locally by setting up a local server without redirecting traffic to an external server.

Most infected devices are located in India, but experts observed several infections also in the United States, Malaysia, Greece, Italy, Brazil and other African countries.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – Redirector.Paco, botnet)