According to Joe Stewart, the malware specialist's director, the FFSearcher trojan centres around a downloadable widget available to webmasters from Google.
The widget generates a customised search box applet that can be embedded in web pages, so giving a direct access to the Google search engine - encouraging users to search and, of course, access sponsored web search URLs.
The trojan appears to re-route searches on an infected PC to My Web Way and away from Google. Although infected PC users think they are seeing search results from Google, the returned indices are routed via the My Web Way site, Infosecurity notes.
If users then click through on the AdSense ads - i.e. the paid-for search engine indices - My Web Way collects the revenue.
Google says it has been working with relevant internet authorities to block My Web Way and has been scanning Google AdSense accounts for web clicks that have resulted in revenue payments to accounts linked with the My Web Way portal.
The bad news about FFSearcher is that it is silent in operation, Infosecurity notes and, apart from Google, it is almost impossible to know that a user has been infected - unless their IT security software has been updated, and for the AdSense users, they are also unaware of being defrauded.
According to SecureWorks, with the FFSearcher trojan it may be tricky for search engine companies like Google to detect the fraud since the searching behaviour of users is no different than normal.
In his blog, Stewart says that FFSearcher undoubtedly raises the bar for the fraud detection teams working at the major search engines.
"It will be interesting to see how they combat it and other trojans using the same technique in the future."