BitDefender, a software security company based in Bucharest, Romania, on Tuesday said that it had detected a new Trojan (Trojan.Qhost.WU) that replaces Google AdSense text ads with ads from a different, potentially malicious provider.
"This is a serious situation that damages users and Webmasters alike," said Attila-Mihaly Balazs, a BitDefender virus analyst, in a statement. "Users are affected because the advertisements and/or the linked sites may contain malicious code, which is a very likely situation, given that they are promoted using malware in the first place. Webmasters are affected because the Trojan takes away viewers and thus a possible money source from their Web sites."
Google said in an e-mailed statement that it is "committed to ensuring the safety and security of our users and our advertisers. We actively work to detect and remove sites that serve malware in both our ad network and in our search results. We have manual and automated processes in place to detect and enforce these policies. We have canceled customer accounts that display ads re-directing users to malicious sites or that advertise a product violating our software principles."
The Trojan works by modifying the Hosts file on victims' computers. The Hosts file contains IP address and domain name data used to find resources on a network. By altering the Hosts file to redirect "page2.googlesyndication.com" to an IP address not affiliated with Google, the Trojan directs infected machines to load ads from an unauthorized server.
Over the past few years, advertising has come to look more and more like a security risk, a development that no doubt has helped to pique Google's interest in security. Some 80% of malicious code online comes from online ads, according to the Q1 2007 Web Trends Security Report published by Finjan, a computer security company.
In the past few days, Danish media company sites have been observed inadvertently serving ads containing malicious content. In November, DoubleClick was serving ads that installed Trojan software. In October, RealPlayer software was exploited through malware embedded in advertisements served by 247realmedia.com.
The issue, as Sun Belt Software CEO Alex Eckelberry described it last month, is that ad networks accept new clients without checking up on them. "This is not a trivial problem," he said in a blog post, "and the most important thing for publishers to do is to be extremely careful when accepting new advertisers (and be wary of tricks these people use, like giving fake references), and then keep a close eye on the advertising as it's running (and hopefully some good tools can be developed for publishers to use to check the content of ads for malicious redirects before posting)."