New malware replaces Google ads

A new type of malware roaming around the Internet takes aim at Google’s AdSense text advertisements, according to a report by eWeek. Word comes from anti-virus software vendor BitDefender, which uncovered a Trojan horse known as Trojan.Qhost.WU that affects Windows systems.

The Trojan works by modifying an infected system’s “hosts” file in order to make the system load up content from an unidentified third-party server instead of Google’s page2.googlesyndication.com ad server. BitDefender researcher Attila Balazs told eWeek the Trojan places users at further risk of infection, since ads on the third-party server could point to more malware. It also robs site owners of advertising revenue.

Users can easily check if they’re affected by opening up a Windows command prompt and typing in “ping pagead2.googlesyndication.com” without the quotes. BitDefender says the resulting IP fetched by the ping command will start with a 9 on an infected system.

Comments closed
    • ChrisDTC
    • 12 years ago

    If I ping the url it brings up an ip that starts with 209

    oh noes!

    • albundy
    • 12 years ago

    thanks, now i know what to add to adblock+

    • Shining Arcanine
    • 12 years ago

    The second paragraph should have “pagead2.googlesyndication.com” and not “page2.googlesyndication.com.”

    • indeego
    • 12 years ago

    I attempted to browse with ads. I’m amazed people put up with the incredible loss of bandwidth. Many pages take 1-3 seconds longer to load, easy. Since there are so many ad hacks going on they’ve left me with no other choiceg{<.<}g

    • lucas1985
    • 12 years ago

    There are reports of malware using Google sponsored links to infect visitors to those links. This isn’t one of those reports. It’s simply an ad-clicker trojan.
    With Firefox + AdBlock Plus (and the EasyList subscription) + NoScript (use it also to control third-party plug-ins), you’re safe from malware exploiting ads, rotating banners and the such.

    • Pax-UX
    • 12 years ago

    I block flash + adware as it eats up the bandwidth… expect of course TR… Oh! who am I kidding???

      • bthylafh
      • 12 years ago

      I block Flash everywhere now unless I specifically tell it to play; I couldn’t handle That One Ad on TR with the quivering background, and I didn’t want to just blanket-block TR’s ads, so…

      • JustAnEngineer
      • 12 years ago

      Right-click on the ABP stop sign icon on your status bar, or left click on the small down arrow next to the ABP stop sign icon on the tool bar.
      Select “Disable on techreport.com” or “Disable on this page only.”
      Tada!
      Your ABP icon should now be a green circle on that page.

    • JJCDAD
    • 12 years ago

    I must see thousands of Google ads per day. I have NEVER clicked on one. I guess I’m safe. 😉

    • SonicSilicon
    • 12 years ago

    The way I read the headline I thought that the AdSense text ads themselves had been replaced with malware, not replaced by malware to point elsewhere. It may get down to splitting hairs, but it certainly illustrates how easily a headline can be ambiguous. (Of course, these days, there are some media outlets that purport outright lies to get your attention, then follow up with the real story which could not be summarized by said headline >_> )

      • computron9000
      • 12 years ago

      That’s why I pointed out it was misleading. It suggests a number of things, which make it appear as though Google Ads = Dangerous Malware. I don’t think I was splitting hairs when I suggested it… there is a big distinction between “malware that propagates via Google ads and Google needs to do something about it,” and “some goofy program that adds a single text entry to your Windows hosts file.”

    • Meadows
    • 12 years ago

    The bigger the target, the more likely a hit becomes.

      • stmok
      • 12 years ago

      I find it amazing that people believe such nonsense about being attacked more, because you’re a bigger target or you’re popular.

      The fact is, its a pathetic excuse used in place for a system which is known for doing poorly in the area of security.

      Do you see this issue affect Linux, Mac, OS/2, BSD, BeOS, Solaris, etc?

      You’re attacked more, not because you’re a bigger target or popularity, but because you’re a more EASIER target to hit than anyone else.

      I suggest you stop believing what PR and “marketing spin” people have to say, become a hacker or security researcher, and discover the truth yourself.

        • d2brothe
        • 12 years ago

        Yea…no…large targets make tempting targets. ALL software has bugs, even the most carefully written software does. I’m sure there exist linux and mac exploits, even if fewer than windows. You cannot therefore claim that they only reason they aren’t hit is because they are completely secure. Its absurd to say size has nothing to do with it, and when it comes to something that can potentially make money, then its all about numbers.

        • dmjifn
        • 12 years ago

        Uh… show of hands for people getting Google AdSense ads on BeOS or OS2?

        Thought not.

      • indeego
      • 12 years ago

      Apache and IIS 7 is proving this wrongg{.}g

    • Nutmeg
    • 12 years ago

    Does NoScript stop this? I have most of those stupid google analytics and stuff blocked.

      • Shining Arcanine
      • 12 years ago

      NoScript does not stop the virus from modifying the hosts file, but Spybot should stop it if you have the Lock the Hosts file setting checked, although NoScript blocks Google’s advertisements unless you allow them to run.

    • computron9000
    • 12 years ago

    That’s a misleading headline. The implication of that headline seems to be that Google Ads, in particular, is vulnerable to this style of attack. Without understanding that virii / trojans have been editing the hosts file for years, you would assume this is Google’s fault.

    In reality, this issue is Microsoft’s.

    *[

      • Meadows
      • 12 years ago

      Split more hairs please.

        • stdPikachu
        • 12 years ago

        Eh?!

        Technically, this has absolutely nothing to do with google and everything to do with hosts file. He’s not plitting hairs, he’s pointing out that whatever ad server gets a hosts file entry is immaterial. Replace “google ads” with “doubleclick” and you still have exactly the same problem, which has incidentally been happening for years.

        !news

          • Shining Arcanine
          • 12 years ago

          You are right.

          • Madman
          • 12 years ago

          !news -> good one 😀 Now I know that C++ is my second language 😀

          • d2brothe
          • 12 years ago

          No…thats not true…the headline is accurate. The malware is replacing google ads. The fact that its doing so through the hosts file is immaterial. The title says what its actually doing. Yes, they’ve been editing the host file for years…but this particular one is targeting and REPLACING google ads.

Pin It on Pinterest

Share This