MALWARE

Trojan Pulls a Fast One With Google Text Ads

Print Version
E-Mail Article
Reprints

By Erika Morphy
TechNewsWorld
Part of the ECT News Network
12/20/07 2:29 PM PT

End users who click on seemingly legitimate Google ads may be at risk of infection by a Trojan that substitutes rogue ads for the real thing. Google and the companies that pay for genuine ads are also victimized, because the pretenders usurp traffic and potential revenue.


95% of email is spam. Want to spend more time on the other 5%? Google's hosted email security, powered by Postini, stops email threats before they reach your business. There is no installation or maintenance required, freeing you to focus on strategic activities. Watch our video to learn more.

Malware is replacing Google (Nasdaq: GOOG) Latest News about Google text ads with ads from another source, according to BitDefender. The virus , Trojan.Qhost.WU, is using the host's file to redirect the initial query sent to the Google Adsense servers to a malicious host, according to an advisory issued by the firm.

The host's file is the first step in the name/IP (Internet protocol) translation process; if an entry is located in this file, the domain name server is not queried. By supplying a false entry, the malware Free Trial. Security Software As A Service From Webroot. is able to redirect queries to a rogue server.

Who's at Risk

End users who click on the seemingly legitimate ads are at risk, as they likely carry additional malware. Google and the companies that pay for genuine ads are also victimized, because the pretenders usurp traffic and potential revenue.

To see if a computer has been infected with this virus, BitDefender advises users to investigate whether the host's file is providing local storage for domain name/IP mappings that contains a line redirecting the host to page2.googlesyndication.com.

From the command line or from Start-->Run, issue the following command: ping -t pagead2.googlesyndication.com. The response should look similar to this, according to BitDefender: Pinging pagead.l.google.com [6x.xxx.xxx.xxx] with 32 bytes of data, where the x's represent digits.

"If you are not infected, the first digit will be a 6 (as in the example). If you are infected, the first digit will be a 9," said BitDefender.

Trojan.Qhost.WU is not spreading fast and poses a "medium" risk of damage, according to the advisory.

Not Unusual

While the target may be a little different, this particular Trojan is just another variation of typical phishing malware, Dmitri Alperovitch, principal research scientist with Secure Computing, told TechNewsWorld.

"We have been seeing attacks like this for the last two to three years, where the virus changes the internal setting to point the user to a different server," he said.

At their core, all of these hack attacks intercept a resolution from the browsers to the DNS (domain name system) server via a simple modification to the Windows system file, he explained. "No query is made to the real DNS server."

A more dangerous variant is the Zlob virus, which infects users by masquerading as a video compression algorithm necessary to view a particular video.

The malware that is subsequently downloaded replaces resolutions not for just one domain name, but for an entire configuration of DNS servers under the control of a malicious group.

Social Networking Toolbox:
Talkback: Be the first to comment on this story.

Print Version E-Mail Article Reprints More by Erika Morphy   RSS

Related News Alerts

Google Activate Alert | Search Archives

Related Resources

Don't miss a story -- sign up for our FREE e-mail newsletters and view the latest headlines at a glance.
Tech News Flash [ View Sample ]
E-Commerce Minute [ View Sample ]
ECT News Network Weekly Newsletter [ View Sample ]