Paco Botnet Manipulates Popular Search Engine Results of One Million Compromised Computers

A botnet of compromised computers, called Million-Machine, was discovered by the Bitdefender security firm to be a massive click-fraud botnet that is hijacking search results through use of a local proxy.

Botnets have long been a significant security threat to a huge number of vulnerable computers. Technically, Botnets are not actual malware infections. Instead, Botnets are groups of systems that have been compromised with malware that is specifically designed to connect to a command and control server to gather instructions to perform activities usually over the Internet.

In the case of a recent rash of nearly one million compromised computers formed into a Botnet dubbed "Million-Machine," the malware called "Redirector.Paco," has taken over the targeted computers to manipulate popular search engine search results. In that, the Paco Botnet of infected systems are activity using a local proxy and hijacking web traffic to seek out queries made to popular search engines. Among the search engines that the Paco malware and the Botnet of systems are manipulating results, Google, Bing and Yahoo have been among the ones targeted in the attack.

The malware included in the Botnet of one million compromised computers is performing multiple layers of activities. The advanced features of the Botnet and its malware, where they utilize a method to modify a computer's local registry key adding two entries masked as Adobe Flash Scheduler and Adobe Flash Update, force the malware to start with each system boot process. Among those actions, the malware comes with its own certificate to disguise its HTTPS traffic as to avoid alerting any users of errors in the web browser application used. Furthermore, search queries entered by users prompts the malware to return fake search results that replace the real links with those obtained from a Google custom search. Essentially, computer users utilizing search results through the Botnet will never know that they are being fed manipulated results, which ultimately grant the cybercrooks behind the scheme a payday by redirecting users to sites that load their AdSense advertisements. In essence, the scheme promotes click fraud.

Expert computer users may be able to decipher fake results through some of the queries lacking the proper logos, such as those sent through a fake Google search. With that in mind, the attackers behind the Botnet have gone out of their way target densely populated areas, such as the USA, Malaysia, Greece, Italy, Brazil, Algeria, Italy and many other countries. So far, the botnet has claimed over 900,000 victims worldwide since its conception during September of 2014.

Botnets like the Million-Machine using Paco malware are a growing concern for everyone, including search engine companies. In the past, we have seen a plethora of search engine results being hijacked to return bogus results only to redirect users to malicious sources or those that have a purpose of driving traffic to rack up impressions on advertisements for monetary gain. As it turns out, the recent Million-Machine and Paco malware Botnet campaign is one that is using Google AdSense for Search program to drive up their impression and click count on money-generating advertisements.

Hopefully, Google and other popular search engines take additional efforts to crack down on the mischievous actions of cybercrooks where search results are manipulated for the purposes of driving traffic to sites that maliciously thrive on advertising revenue from clicks and impressions.

What computer users can do to ensure they are not the next victim of the Paco malware and the massive Botnet, is to keep all software continually up to date and run a trusted antimalware or antivirus application to detect and remove such threats.