New Worm Spoofs Google

Panda Software has identified a new P2P attack that launches a fraudulent version of Google in an attempt to make money.

Security researchers at Panda Software say they have discovered a new worm that generates a spoofed version of Google, the Webs most popular search engine.

The companys PandaLabs unit reported late Friday that it had identified a worm it has labeled as P2Load.A that creates a fake Google site, and launches adware on infected computers.

The security software maker, which is based in Bilbao, Spain, said that the attack spreads via peer-to-peer, or P2P, computer networks, specifically the Shareaza and Imesh programs.

Representatives for Google Inc., which is based in Mountain View, Calif., did not immediately return phone calls seeking comment on the virus. As the companys popularity has increased over the years, so have the number of attacks aimed at its users. For instance, the site was targeted in December 2004 by the so-called Santy worm, a virus that identifies potential victims by searching Google.

Panda said that the P2Load.A threat copies itself onto the shared directory of the P2P software as an executable file named after a Star Wars-themed video game, Knights of the Old Republic 2, and lures end users into launching the virus on their machines using a faked error message. Once the virus has been sprung, it immediately modifies the computers start page, launches the adware and spoofs Google.

As part of its delivery function, the P2Load.A attack modifies an infected computers Hosts file so that when an unsuspecting user attempts to call up the search engine, they are instead diverted to the mocked-up version of the site, which Panda said was hosted somewhere in Germany. The fraudulent page appears as an exact copy of Google and supports all 17 languages that the search site is offered in. The virus has also been designed to redirect people who mistype Googles URL into their browsers, and will pop up if someone mistakenly types,, or

/zimages/4/28571.gifTyposquatters target anti-virus vendors. Click here to read more.

When a system infected with P2Load.A runs a query on the faked Google page, they are presented with results that closely mirror the links that the actual search engine would offer. However, the site presents different advertisements than the real Google search site, including links to the same companies being touted in the threats malware element.

Panda indicated that the virus design could allow P2Load.A to be altered to spoof other Web pages, in that it modifies the Hosts file by replacing the original with a remote site download. Company officials said that, unlike attacks that merely look to cause trouble, the Google spoof is aimed directly at making money.

"The creator of this worm has taken advantage of the importance of a company appearing among the first few links in the search results of an Internet browser," Luis Corrons, director of PandaLabs, said in a statement. "Its aims are none other than to increase visits to the pages linked by the creator of this malware or earn an income from companies that want to appear in the first few results in computer where the identity of Google has been spoofed: In both cases, the motivation of the author of this malware is purely financial."

/zimages/4/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.