Updated: A Trojan horse program is churning out bogus Google ads promoting products Google eschews—gambling, cheap Viagra, girlie photos and adult dating.A Trojan horse program is churning out bogus Google ads promoting products Google eschews—gambling, cheap Viagra, girlie photos and adult dating.
The ads, being targeted at small publishers, are identical to Google AdSense ads except that referral graphic buttons are being converted to text, apparently due to a bug in the Trojan, according to the publisher who reportedly discovered the Trojan.
That publisher, Raoul Bangera, told Techshout.com that the non-contextual and risqué content of the ads are what set them apart from regular AdSense ads.
"Contrary to the normal Google ads, which have some correlation to the content on the Web page, these malicious ads had no content that was remotely similar to the pages to which they had been attached," Techshout quotes Bangera as saying.
"Most of the ads were about gambling or adult content, which are banned categories in Google AdSense, clearly indicating a suspicious origin."
According to Techshout, when users click on the fake AdSense ads, they boot the user to three successive sites. The user is eventually dumped onto a page with a slew of ads and links to more ads.
Googles legitimate AdSense program works by paying Web site publishers to display content-relevant Google ads on their pages.
As of Tuesday, the fake ads put out by the Trojan were replacing sites original ads, thus depriving publishers of AdSense-generated ad revenue.
A Google spokesperson said that, as of Friday, the company was still investigating the problem and that the ads are likely malicious in nature.
"These ads are not from Google and are likely the result of malicious software installed on a users computer," he said in an e-mail exchange. "Were currently investigating the issue."
But as one reader pointed out when posting a response to Techshouts story, its possible that the malware removal might be a job better suited for the anti-spyware/anti-malware/anti-virus industry, not for Google.
Neither Computer Associates, Symantec, VeriSign nor McAfee had been able to report that they were working on the problem by the time this story was posted.
"It appears we do not have sample on this and wouldnt be able to provide any meaningful info on this," said a spokesperson for McAfee.
CA Vice President, eTrust Security Management Sam Curry said in an e-mailed statement that CA as of yet isnt working with Google on the problem but that the company is assessing the threat independently.
"This insidious attack appears to very similar to Phishing attacks but with banner ads as the vector for infection and not e-mail," Curry wrote. "It appears to be camouflaged exceptionally well among legitimate ads and when combined with other forms of malware could prove a vector for worms, blended threats, spyware, Trojans and rootkits."
At any rate, this is just the latest in a string of exploits against Googles AdSense. Microsoft Corp. researchers earlier this month uncovered a large-scale typo-squatting scheme that used multi-layer URL redirection to game AdSense.
The researchers uncovered the scam when extending the companys HoneyMonkey exploit detection system, a project that runs automatic and systematic Web scans to investigate the seedier side of the Internet.
Click here to read more about the HoneyMonkey system.
With the new Strider Typo-Patrol System, the Microsoft Research Systems Management Research Group was able to track down a ring of typo-squatters registering misspelled domain names and generating traffic to serve advertising from Google.
In an earlier incident, Google reportedly blocked ads that attempted to exploit security holes in Internet Explorer.
In January 2005, it was discovered that AdWords were linking to sites with dangerous JavaScript for search terms such as "Preisvergleich" (price comparison) and "Gebraucht PC" (used PC).
Clicking on the links in IE triggered a JavaScript attempt to install spyware.
Finally, CAs Curry pointed to a March 2005 attack that was similar to the one now ongoing.
"This type of attack is far from unique," he said. "Weve seen its likeness before."
Editors Note: This story was updated to include comments from Google, CA and McAfee.
Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.
Network Security & Hardware 
