Trojan Pulls a Fast One With Google Text Ads

Malware is replacing Google (Nasdaq: GOOG) text ads with ads from another source, according to BitDefender. The virus, Trojan.Qhost.WU, is using the host's file to redirect the initial query sent to the Google Adsense servers to a malicious host, according to an advisory issued by the firm.

The host's file is the first step in the name/IP (Internet protocol) translation process; if an entry is located in this file, the domain name server is not queried. By supplying a false entry, the malware is able to redirect queries to a rogue server.

Who's at Risk

End users who click on the seemingly legitimate ads are at risk, as they likely carry additional malware. Google and the companies that pay for genuine ads are also victimized, because the pretenders usurp traffic and potential revenue.

To see if a computer has been infected with this virus, BitDefender advises users to investigate whether the host's file is providing local storage for domain name/IP mappings that contains a line redirecting the host to page2.googlesyndication.com.

From the command line or from Start-->Run, issue the following command: ping -t pagead2.googlesyndication.com. The response should look similar to this, according to BitDefender: Pinging pagead.l.google.com [6x.xxx.xxx.xxx] with 32 bytes of data, where the x's represent digits.

"If you are not infected, the first digit will be a 6 (as in the example). If you are infected, the first digit will be a 9," said BitDefender.

Trojan.Qhost.WU is not spreading fast and poses a "medium" risk of damage, according to the advisory.

Not Unusual

While the target may be a little different, this particular Trojan is just another variation of typical phishing malware, Dmitri Alperovitch, principal research scientist with Secure Computing, told TechNewsWorld.

"We have been seeing attacks like this for the last two to three years, where the virus changes the internal setting to point the user to a different server," he said.

At their core, all of these hack attacks intercept a resolution from the browsers to the DNS (domain name system) server via a simple modification to the Windows system file, he explained. "No query is made to the real DNS server."

A more dangerous variant is the Zlob virus, which infects users by masquerading as a video compression algorithm necessary to view a particular video.

The malware that is subsequently downloaded replaces resolutions not for just one domain name, but for an entire configuration of DNS servers under the control of a malicious group.