Trojan Emits Bogus, Risqué Google AdSense Ads
By Lisa Vaas
December 30, 2005

Updated: A Trojan horse program is churning out bogus Google ads promoting products Google eschews—gambling, cheap Viagra, girlie photos and adult dating.

Be the first to comment on this article



A Trojan horse program is churning out bogus Google ads promoting products Google eschews—gambling, cheap Viagra, girlie photos and adult dating.

The ads, being targeted at small publishers, are identical to Google AdSense ads except that referral graphic buttons are being converted to text, apparently due to a bug in the Trojan, according to the publisher who reportedly discovered the Trojan.

ADVERTISEMENT That publisher, Raoul Bangera, told Techshout.com that the non-contextual and risqué content of the ads are what set them apart from regular AdSense ads.

"Contrary to the normal Google ads, which have some correlation to the content on the Web page, these malicious ads had no content that was remotely similar to the pages to which they had been attached," Techshout quotes Bangera as saying.

"Most of the ads were about gambling or adult content, which are banned categories in Google AdSense, clearly indicating a suspicious origin."

According to Techshout, when users click on the fake AdSense ads, they boot the user to three successive sites. The user is eventually dumped onto a page with a slew of ads and links to more ads.

Google's legitimate AdSense program works by paying Web site publishers to display content-relevant Google ads on their pages.

As of Tuesday, the fake ads put out by the Trojan were replacing sites' original ads, thus depriving publishers of AdSense-generated ad revenue.

A Google spokesperson said that, as of Friday, the company was still investigating the problem and that the ads are likely malicious in nature.

"These ads are not from Google and are likely the result of malicious software installed on a user's computer," he said in an e-mail exchange. "We're currently investigating the issue."

But as one reader pointed out when posting a response to Techshout's story, it's possible that the malware removal might be a job better suited for the anti-spyware/anti-malware/anti-virus industry, not for Google.



Neither Computer Associates, Symantec, VeriSign nor McAfee had been able to report that they were working on the problem by the time this story was posted.

"It appears we do not have sample on this and wouldn't be able to provide any meaningful info on this," said a spokesperson for McAfee.

CA Vice President, eTrust Security Management Sam Curry said in an e-mailed statement that CA as of yet isn't working with Google on the problem but that the company is assessing the threat independently.

"This insidious attack appears to very similar to Phishing attacks but with banner ads as the vector for infection and not e-mail," Curry wrote. "It appears to be camouflaged exceptionally well among legitimate ads and when combined with other forms of malware could prove a vector for worms, blended threats, spyware, Trojans and rootkits."

At any rate, this is just the latest in a string of exploits against Google's AdSense. Microsoft Corp. researchers earlier this month uncovered a large-scale typo-squatting scheme that used multi-layer URL redirection to game AdSense.

The researchers uncovered the scam when extending the company's HoneyMonkey exploit detection system, a project that runs automatic and systematic Web scans to investigate the seedier side of the Internet.