Researchers from Bitdefender have released a study showing that click fraud botnets have taken over an estimated 1 million machines worldwide. The Redirector.Paco Trojan alone has infected over 900,000 machines worldwide since its release in 2014.

The malware was created to take search results made over popular search engines: Google, Yahoo, or Bing, and replace the actual results with those taken from a custom search. This allows a third party to manipulate search engine results to specific websites, allowing them to hijack the search. Google’s AdSense for Search then places advertisements on the redirected search page results, and those sites are able to illegally collect ad revenues – commonly known as click fraud. The botnet can redirect search engine results, even those that are made over HTTPS connections.

While the custom search results are made to look authentic, as if they came directly from the actual search engine, some clues that a computer may be infected with the botnet include abnormally slow loading times,  or messages in the browser status bar that read ‘waiting for proxy tunnel’ or ‘downloading proxy script.’ Also, the botnet search results that mimic Google often miss the distinctive yellow letter ‘o’ in Google, written above the page numbers.

There are two types of malware: one hosted on a remote server, and one hosted on the end user’s computer. This allows a third party to create a man-in-the-middle (MiTM) attack. Search engine results are hijacked by proxy and replaced with the custom search results, then re-encrypted and sent back to the user.

The infection begins with a modified MSI file, located in known benign files such as WinRAR, YouTube Downloader, or Connectify. The installation files are modified using Advanced Installer. In one example, a file called reset.txt modifies the user’s internet settings, one called update.txt installs a root certificate so that the PAC file looks private to the untrained eye, and two scheduled tasks, disguised as Adobe Flash updates, ensure the malware’s persistence on the system. Other variants were studied as well, including one for Javascript and one using .Net.

Redirector.Paco has infected almost one million IPs worldwide and can be found primarily in India, Malaysia, Greece, US, Italy, Pakistan, Brazil and Argentina.