New trojan targets Google ads

December 22, 2007

According to a warning from anti-virus vendor BitDefender, a new trojan named Trojan.Qhost.WU is making the rounds, hijacking Google text advertisements and replacing them with ads from a different provider. The threat works by modifying the hijacked computer's hosts file to redirect the initial queries to Google AdSense servers to a rogue server instead.1

Google AdSense is a service offered by Google which places advertisements in web pages in accordance with the topics of the page. The embedding of advertisements is done by JavaScript. This code contacts the Google AdSense servers which in turn delivers the targeted advertisements.2

The hosts file on a computer (usually located in the "%WINDIR%\System32\drivers\etc" directory for Windows based systems) is used as a first step in the domain translation process. If a domain name and corresponding IP address is located within this file, the computer does not bother contacting the external DNS server to request the IP address of the domain name - instead it uses the IP address that is stored locally in the file.2

What Trojan.Qhost.WU does is create an entry in the hosts file that maps pagead2.googlesyndication.com to a different (rogue) server. This server, rather than displaying advertisements from Google, display advertisements from a third party services, which could link to sites that deliver malicious code.2

While the target may be a little different, this particular Trojan is another variation of typical phishing malware. Dmitri Alperovitch, principal research scientist with Secure Computing, explains that they have been seeing attacks like this for the last two to three years, where the virus changes the internal setting to point the user to a different server.3

A more dangerous variant of the same principle is the Zlob virus, which infects users by masquerading as a video compression algorithm necessary to view a particular video. The malware that is subsequently downloaded replaces resolutions not for just one domain name, but for an entire configuration of DNS servers under the control of a malicious group.3

Over the past few years, advertising has come to look more and more like a security risk, a development that no doubt has helped to pique Google's interest in security. Some 80% of malicious code online comes from online ads, according to the Q1 2007 Web Trends Security Report published by Finjan, a computer security company.4

In the past few days, Danish media company sites have been observed inadvertently serving ads containing malicious content. In November, DoubleClick was serving ads that installed Trojan software. In October, RealPlayer software was exploited through malware embedded in advertisements served by 247realmedia.com.4

The issue, as Sun Belt Software CEO Alex Eckelberry described it last month, is that ad networks accept new clients without checking up on them. "This is not a trivial problem," he said in a blog post. "the most important thing for publishers to do is to be extremely careful when accepting new advertisers... and then keep a close eye on the advertising as it's running"4




1. "Trojan Hijacks Google Text Ads", eWeek, December 19, 2007

2. "Trojan.Qhost.WU", BitDefender, December 17, 2007

3. "Trojan Pulls a Fast One With Google Text Ads", TechNewsWorld, December 20, 2007

4. "New Trojan Software Swaps Google Ads For Malware", InformationWeek, December 19, 2007