New Trojan Software Swaps Google Ads For Malware

BitDefender says a new Trojan replaces Google AdSense text ads with ads from a different, potentially malicious provider.

Thomas Claburn, Editor at Large, Enterprise Mobility

December 18, 2007

2 Min Read
InformationWeek logo in a gray background | InformationWeek

New Trojan software has been found picking the pockets of Google and its publishing partners, and potentially exposing Web surfers to more malware.

BitDefender, a software security company based in Bucharest, Romania, on Tuesday said that it had detected a new Trojan (Trojan.Qhost.WU) that replaces Google AdSense text ads with ads from a different, potentially malicious provider.

"This is a serious situation that damages users and Webmasters alike," said Attila-Mihaly Balazs, a BitDefender virus analyst, in a statement. "Users are affected because the advertisements and/or the linked sites may contain malicious code, which is a very likely situation, given that they are promoted using malware in the first place. Webmasters are affected because the Trojan takes away viewers and thus a possible money source from their Web sites."

Google said in an e-mailed statement that it is "committed to ensuring the safety and security of our users and our advertisers. We actively work to detect and remove sites that serve malware in both our ad network and in our search results. We have manual and automated processes in place to detect and enforce these policies. We have canceled customer accounts that display ads re-directing users to malicious sites or that advertise a product violating our software principles."

The Trojan works by modifying the Hosts file on victims' computers. The Hosts file contains IP address and domain name data used to find resources on a network. By altering the Hosts file to redirect "page2.googlesyndication.com" to an IP address not affiliated with Google, the Trojan directs infected machines to load ads from an unauthorized server.

Over the past few years, advertising has come to look more and more like a security risk, a development that no doubt has helped to pique Google's interest in security. Some 80% of malicious code online comes from online ads, according to the Q1 2007 Web Trends Security Report published by Finjan, a computer security company.

In the past few days, Danish media company sites have been observed inadvertently serving ads containing malicious content. In November, DoubleClick was serving ads that installed Trojan software. In October, RealPlayer software was exploited through malware embedded in advertisements served by 247realmedia.com.

The issue, as Sun Belt Software CEO Alex Eckelberry described it last month, is that ad networks accept new clients without checking up on them. "This is not a trivial problem," he said in a blog post, "and the most important thing for publishers to do is to be extremely careful when accepting new advertisers (and be wary of tricks these people use, like giving fake references), and then keep a close eye on the advertising as it's running (and hopefully some good tools can be developed for publishers to use to check the content of ads for malicious redirects before posting)."

About the Author

Thomas Claburn

Editor at Large, Enterprise Mobility

Thomas Claburn has been writing about business and technology since 1996, for publications such as New Architect, PC Computing, InformationWeek, Salon, Wired, and Ziff Davis Smart Business. Before that, he worked in film and television, having earned a not particularly useful master's degree in film production. He wrote the original treatment for 3DO's Killing Time, a short story that appeared in On Spec, and the screenplay for an independent film called The Hanged Man, which he would later direct. He's the author of a science fiction novel, Reflecting Fires, and a sadly neglected blog, Lot 49. His iPhone game, Blocfall, is available through the iTunes App Store. His wife is a talented jazz singer; he does not sing, which is for the best.

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like


More Insights