Trojan Horse Produces Bogus, Risqué Google Ads

A Trojan horse program is churning out bogus Google ads promoting products Google eschews — gambling, cheap Viagra, girlie photos and adult dating.

The ads, being targeted at small publishers, are identical to Google AdSense ads except that referral graphic buttons are being converted to text, apparently due to a bug in the Trojan, according to the publisher who reportedly discovered the Trojan.

That publisher, Raoul Bangera, told that the non-contextual and risqué content of the ads are what set them apart from regular AdSense ads.

"Contrary to the normal Google ads, which have some correlation to the content on the Web page, these malicious ads had no content that was remotely similar to the pages to which they had been attached," Techshout quotes Bangera as saying. "Most of the ads were about gambling or adult content, which are banned categories in Google AdSense, clearly indicating a suspicious origin."

According to Techshout, when users click on the fake AdSense ads, they boot the user to three successive sites. The user is eventually dumped onto a page with a slew of ads and links to more ads.

Google's legitimate AdSense program works by paying Web site publishers to display content-relevant Google ads on their pages.

As of Tuesday, the fake ads put out by the Trojan were replacing sites' original ads, thus depriving publishers of AdSense-generated ad revenue.

A Google spokesperson said that, as of Friday, the company was still investigating the problem and that the ads are likely malicious in nature.

"These ads are not from Google and are likely the result of malicious software installed on a user's computer," he said in an e-mail exchange. "We're currently investigating the issue."

But as one reader pointed out when posting a response to Techshout's story, it's possible that the malware removal might be a job better suited for the anti-spyware/anti-malware/anti-virus industry, not for Google.

Neither Computer Associates, Symantec, VeriSign nor McAfee had been able to report that they were working on the problem by the time this story was posted.

"It appears we do not have sample on this and wouldn't be able to provide any meaningful info on this," said a spokesperson for McAfee.

CA Vice President, eTrust Security Management Sam Curry said in an e-mailed statement that CA as of yet isn't working with Google on the problem but that the company is assessing the threat independently.

"This insidious attack appears to very similar to Phishing attacks but with banner ads as the vector for infection and not e-mail," Curry wrote. "It appears to be camouflaged exceptionally well among legitimate ads and when combined with other forms of malware could prove a vector for worms, blended threats, spyware, Trojans and rootkits."

At any rate, this is just the latest in a string of exploits against Google's AdSense.

Microsoft Corp. researchers earlier this month uncovered a large-scale typo-squatting scheme that used multi-layer URL redirection to game AdSense.

The researchers uncovered the scam when extending the company's HoneyMonkey exploit detection system, a project that runs automatic and systematic Web scans to investigate the seedier side of the Internet.

With the new Strider Typo-Patrol System, the Microsoft Research Systems Management Research Group was able to track down a ring of typo-squatters registering misspelled domain names and generating traffic to serve advertising from Google.

In an earlier incident, Google reportedly blocked ads that attempted to exploit security holes in Internet Explorer.

In January 2005, it was discovered that AdWords were linking to sites with dangerous JavaScript for search terms such as "Preisvergleich" (price comparison) and "Gebraucht PC" (used PC).

Clicking on the links in IE triggered a JavaScript attempt to install spyware.

Finally, CA's Curry pointed to a March 2005 attack that was similar to the one now ongoing.

"This type of attack is far from unique," he said. "We've seen its likeness before."

Check out's Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzer's Weblog.

Copyright © 2005 Ziff Davis Media Inc. All Rights Reserved. Reproduction in whole or in part in any form or medium without express written permission of Ziff Davis Media Inc. is prohibited.