Google’s AdWords hijacked by malware

19 Dec 2007

BitDefender, a Romanian-based online security company, has discovered a new form of Trojan malware that literally hijacks Google’s AdWords, or text-based advertisements, and replaces them with ads from other third-party sites, causing the company to lose money due to it via its click-through advertising.

The malicious software, Trojan.Qhost.WU, does this by changing details in the infected computer’s files causing it to point to a new web address rather than display Google’s AdWords.

“This is a serious situation that damages users and webmasters alike,” said Attila-Mihaly Balazs, a BitDefender virus analyst.

“Users are affected because the advertisements and/or the linked sites may contain malicious code, which is a very likely situation, given that they are promoted using malware in the first place. Webmasters are affected because the Trojan takes away viewers and thus a possible money source from their websites.”

“Most likely the creators of the Trojan make money off it through ad revenue, so they are probably redirecting the Google ads to other ads they get paid for (probably to an account with false details),” an Irish white-hat hacker who wishes to remain anonymous told

As Google users may have concerns that this Trojan malware may affect their system, the white-hat hacker explained that the easiest way to tell is to check the hosts file, which is at c:\windows\system32\drivers\etc\hosts.

This way, a user can tell that they are infected if an entry in this file replaces ‘localhost’ with an actual IP, one that would be pointing to the different provider and not Google’s AdWords.

“The BitDefender software seems to have been first off the mark on this one, but I’d say most anti-virus should pick up on this soon; Spybot Search and Destroy and many other anti-virus/anti-spyware software would alert the user if an attempt was made to modify the host file anyway,” he added.

By Marie Boran