Web users with itchy fingers might be in for a shock when they click on a Google ad. Security researchers recently discovered a new Trojan that hijacks Google ads and replaces them with ads from a different provider.
The Trojan was discovered by security researchers at BitDefender, an antivirus software and data security provider. Researchers at the company identified the malware as Trojan.Qhost.WU.
"When Google loads the page, it loads ads but not the ones it's intended to provide," said Viorel Canja, who heads BitDefender Lab.
In general, the system automatically goes to the requested IP address whenever users try to reach a certain Web server, researchers explained. However, the IP address can be overwritten by adding a line to a new file, called a host.
The phony Google ads entice readers with links to movie reviews, blogs and online free courses. When users click on the ads, the modified file contains a line that redirects the host, which points the IP to a different address so that the infected machines' browsers read ads from the server at the replacement address instead of from Google's own ads.
BitDefender analysts maintain that users are affected because the phony ads might either contain malware or be linked to a site that contains malicious code, "which is a very likely situation, given that they are promoted using malware in the first place,'" said Attila-Mihaly Balazs, BitDefender virus analyst, in a written statement.
The virus also adversely affects Google by taking away viewers, which results in loss of revenue, BitDefender researchers said.
Security experts said that they have alerted Google to the problem. "Unfortunately, it's not something that [Google] can control. The Trojan works by modifying users' computers. [The ads] are just redirecting requests from users' computers," said Canja.
Security researchers have not yet determined if the ads are malicious. However, users are advised to keep their antivirus software updated.
