Security researchers from F-Secure have identified a new Mac OS X click fraud trojan which hijacks Google searches by inserting a rogue DNS entry into the hosts file.
The trojan comes hidden as a Fake Player installer so it is probably distributed as part of a social engineering attack that asks users to update Flash Player to see a video or something similar.
Once run on the system, the trojan modifies the operating system’s hosts file and inserts an entry that points all Google sites (www.google.*) to a rogue IP address under the attackers’ control.
The hosts file can be used to manually specify DNS entries that take precedence over the responses sent by the system’s DNS server.
This form of DNS hijacking is common on Windows so it is not a new technique. After the rogue entry is inserted, users trying to access Google, including any of its local sites, will see a spoofed version of the www.google.com home page.
This can be an indication that something is wrong, because local Google versions should have localized buttons and links, which doesn’t happen in this case.
Searching for a keyword will return results in the order they appear on google.com and not the corresponding local version of the search engine. In addition, the layout of the results page does not reflect the site’s recent redesign.
The results are altered in such a way so that when they’re clicked, a pop-up is also triggered. Normally, these pop-ups contain ads, this being the monetizing vector of the whole scheme.