The Redirector.Paco Windows malware works by diverting traffic intended for the popular search engines to a malicious server, according to Bitdefender.
Search results are therefore unlikely to be those expected, and the malware is monetised by showing results that actually lead to ads that deliver pay-per-click AdSense revenue to the Bad Guys.
There are a few clues that all is not well with an infected computer. Bitdefender says the browser status bar may display messages such as "Waiting for proxy tunnel" or "Downloading proxy script," the search results take longer than usual to appear, and in the case of Google searches there's an absence of the usual multicoloured 'Goooooooooogle' above the page numbers near the foot of the results page.
These installers drop files and make registry modifications so that search traffic is redirected to the malicious server. The inclusion of a bogus root certificate means that the search traffic still seems to be protected by HTTPS. If the user takes the trouble to check the certificate it is apparent that all is not well ("The identity of this website has been verified by DO_NOT_TRUST_FiddlerRoot") - but who bothers to do that when visiting a search engine?
Scheduled tasks called "Adobe Flash Scheduler" and "Adobe Flash Update" are used to ensure the malware keeps running once it has gained a foothold.
Redirector.Paco was first detected in September 2014, and since then it has infected more than 900,000 computers worldwide. There have been some cases in Australia, but the most affected countries are India (by far), Malaysia and Greece, according to Bitdefender.
Bitdefender's analysis of Redirector.Paco can be seen here.