Proxy auto config (PAC) is a feature accepted by all modern browsers, according to Fabio Assolini, a lab expert at Kaspersky. It contains a function to redirect browsers to a specific proxy server. A proxy server is a computer that accesses the Internet on a computer user's behalf, and feeds it the results. Proxy servers are often used by systems administrators as a gateway between an organization's computers and the Internet, and PAC files are set on client machines so that they always access the Internet through a protected gateway.
"Unfortunately this simple and smart proxy technique is being largely used by Brazilian malware writers to redirect infected users to malicious hosts serving phishing pages of financial institutions," Assolini said. "After being infected by a Trojan banker, if a user tries to access some of the websites listed in the script, they will be redirected to a phishing domain hosted at the malicious proxy server."
Even browsers designed securely from the bottom up, such as Google's Chrome, are susceptible to this attack, which changes the file prefs.js to insert a malicious proxy before adding a malicious dynamic link library to always rewrite the proxy, if it is removed.
This attack is an interesting variation on a more conventional redirection attack involving the Windows Hosts file. This is a plain text file containing a list of Domain Name System lookups, which a Windows computer will refer to first, before trying to resolve a domain name using an external server. Malware that alters DNS entries in a Hosts file instructs a Windows computer to visit any malicious IP address that the attacker wants when the user types in a legitimate web address, such as one for an online bank, for example.