A million machines enslaved by MitM Google ad fraud botnet

Better the devil you know as malware replaces Alphabet ads with less sanitary banners

About a million computers have been enslaved into a newly-identified botnet that is plundering Google advertising revenues, a security trio says.

The redirector.paco botnet steals advertising revenue by replacing a website's Google AdSense for search results on infected machines with their own.

Bitdefender security researchers Cristina Vatamanu, Răzvan Benchea, and Alexandru Maximciuc say the botnet has been active since September 2014 and has infected more than 900,000 machines across India, Malaysia, Greece, and the USA.

They say the malware serves as a man-in-the-middle attack using a root certificate to spit out certificates for Google, Yahoo, and Bing that are accepted by the victim's browser.

"To redirect the traffic the malware performs a few simple registry tweaks [modifying] the AutoConfigURL and AutoConfigProxy values from the internet settings registry key so that for every request that a user makes, a proxy auto-config file will be queried," the trio say.

"This file tells the browser to redirect the traffic to a different address.

"The malware tries to make the search results look authentic."

Infected machines bear the message 'waiting for proxy tunnel' or 'downloading proxy script' in the browser status bar, and take a long time to load Google results.

The malware is hiding in infected software packages including Youtube Downloader, pirate WinRAR, the popular KMSpico Windows application cracker, and Stardock Start.

The group has detailed a full technical analysis of the infection.

Users can avoid infection with normal best practice security controls and avoiding downloading software from untrusted sources. ®

Biting the hand that feeds IT © 1998–2021