New Malware Redirects Google, MSN, And Yahoo Traffic

PremiumSearch installs a fake "Google" toolbar and sets the victim's browser home page to the PremiumSearch search engine. The goal is to collect traffic-dependent advertising income.

Thomas Claburn, Editor at Large, Enterprise Mobility

September 30, 2005

2 Min Read
InformationWeek logo in a gray background | InformationWeek

Security vendor Panda Software says it has detected new malicious adware, called PremiumSearch, that redirects attempts to reach Google, MSN, and Yahoo as a means to collect traffic-dependent advertising income.

"It takes you to one of these cheesy search pages," says Patrick Hinojosa, CTO of Panda Software. "Someone's [trying] to siphon traffic." The motivation, of course, is money.

PremiumSearch installs a malicious BHO (Browser Helper Object) on the victim's computer. It also installs a fake "Google" toolbar and sets the victim's browser home page to the PremiumSearch search engine, regardless of the setting displayed in the browser. Finally, it conducts what amounts to local DNS poisoning—it rewrites the HOSTS file on the victim's computer. This maps domain names that include Google.com, MSN.com, and Yahoo.com to an IP address hosting spoofed versions of those search engines.

The infection originates from visiting a particular Web page after being redirected from other pages that contain pirated software or porn. The page installs the following malware: PremiumSearch, WorldAntiSpy (adware that poses as spyware-detection software and offers to remove found threats for a fee), and Smitfraud (adware that displays popup ads).

Hinojosa says ISPs hosting versions of this Web page have been notified. That won't necessarily result in anything more than the removal of the malicious pages, because they're most likely hosted on a compromised or zombie PC. "It's a zombie, because [the malware distributors] never want it traced back to them," Hinojosa explains.

"These actions are financially motivated and aim to exploit the popularity of these search engines to increase visits to the pages with the altered results," PandaLabs director Luis Corrons says in a statement. "To avoid this kind of attack, it is vital that users have reliable antivirus protection and keep their systems up-to-date, as the vulnerabilities used have often been in existence for some time."

About the Author

Thomas Claburn

Editor at Large, Enterprise Mobility

Thomas Claburn has been writing about business and technology since 1996, for publications such as New Architect, PC Computing, InformationWeek, Salon, Wired, and Ziff Davis Smart Business. Before that, he worked in film and television, having earned a not particularly useful master's degree in film production. He wrote the original treatment for 3DO's Killing Time, a short story that appeared in On Spec, and the screenplay for an independent film called The Hanged Man, which he would later direct. He's the author of a science fiction novel, Reflecting Fires, and a sadly neglected blog, Lot 49. His iPhone game, Blocfall, is available through the iTunes App Store. His wife is a talented jazz singer; he does not sing, which is for the best.

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like


More Insights