Trojan Hijacks Google Text Ads

BitDefender nabs a new Trojan commandeering Host files to deliver third-party advertising instead of Google's.

Malware authors are beginning to nibble at Google's text advertising money pie.

According to a warning from anti-virus vendor BitDefender, a new Trojan is making the rounds, hijacking Google text advertisements and replacing them with ads from a different provider.

The Trojan.Qhost.WU threat works by modifying the hijacked computer's Hosts file to redirect the initial query to the Google AdSense servers to a malicious host.

Instead of getting advertising content from Google's "" domain, the Trojan, discovered Dec. 17, instructs the infected machine to fetch ads from a different, third-party ad server, according to BitDefender virus researcher Attila Balazs.

BitDefender did not identify the rogue third-party ad server.

Balazs said the threat is a worry for Webmasters and end users.


"Users are affected because the advertisements and/or the linked sites may contain malicious code, which is a very likely situation, given that they are promoted using malware in the first place. Webmasters are affected because the Trojan takes away viewers and thus a possible money source from their websites," he said in a statement.

Over the past year, malicious hackers have turned their attention to ad networks as vehicles for drive-by malware downloads.

In November, security researchers found DoubleClick serving up massive amounts of ads for bogus anti-spyware programs in place of legitimate advertising. Before that, advertisements served by RealNetworks' RealPlayer were also used to exploit a zero-day software vulnerability.

Check out's Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK's Security Watch blog.