BitDefender Detects New Trojan that Hijacks Google Text Advertisements; Cuts into Google Revenues
December 2007
BUCHAREST, Romania December 18, 2007 BitDefender®, a global provider of award-winning antivirus software and data security solutions, announced today that BitDefender antivirus analysts have detected a new trojan, which hijacks Google text advertisements, replacing them with ads from a different provider. The threat, which is identified by BitDefender as Trojan.Qhost.WU, modifies the infected computers' Hosts file (a local storage for domain name / IP address mappings, which is consulted before domain name servers and is considered authoritative).
The modified file contains a line redirecting the host "page2.googlesyndication.com" which should point to an IP of the form 6x.xxx.xxx.xxx to a different address, of the form 9x.xxx.xxx.xxx, so that the infected machines' browsers read ads from server at the replacement address rather than from Google.
"This is a serious situation that damages users and webmasters alike," said Attila-Mihaly Balazs, a BitDefender virus analyst. Users are affected because the advertisements and/or the linked sites may contain malicious code, which is a very likely situation, given that they are promoted using malware in the first place. Webmasters are affected because the trojan takes away viewers and thus a possible money source from their websites.
Users are advised to let BitDefender software delete the trojan. For further details on the ad-hijacking trojan, please visit BitDefenders Defense Portal site at: http://www.bitdefender.com/site/VirusInfo/realTimeReporting/.