It was only a matter of time before a trojan or virus targeted AdSense or YPM for malicious activity, and the time has come. A new trojan horse discovered by an Indian publisher replaces Google AdSense ads with their own ads, advertising sites including dating, sex, viagra and weight loss. This trojan is very recent, because it not only converts regular AdSense ad units, but also the Google AdSense and Firefox referrer buttons into text links.
Techshout.com reports that a new, deceptive Trojan Horse program has surfaced. The program is engineered to produce fake Google ads that are formatted to look like legitimate ones. The ads are incorporated in Google AdSense, the program that lets website owners display ads from Google’s list of advertisers. The Trojan Horse apparently downloads itself onto an unsuspecting computer through a web page and then replaces the original ads with its own set of malicious ads.
Techshout, which broke the story and also has quotes from Raoul Bangera who discovered the new trojan, does not reveal the website that the computer was originally infected from, nor the name of the trojan horse. A quick scan of several security sites does not have any details on this particular threat. However, there have been previous cases of spyware which would overwrite AdSense ads.
The Google AdSense team did not confirm it was specifically a trojan, but did state they believed it was malicious software that Bangera had discovered.
Since the Trojan Horse makes the deceptive ads look like normal Google ads, the program was nearly impossible to detect by the general public. However, Raoul Bangera, an Indian web publisher, discovered the bogus program and contacted the Google AdSense team. Bangera emailed the team a number of cases, including various screenshots, log files of an infected computer and system files as proof. The AdSense team validated the news saying, “We can confirm from the screenshots that these are fake Google ads, formatted to look like legitimate ads. We agree that this phenomenon is likely the result of malicious software installed on your computer.”
There was no mention if YPN or other contextual ads on websites were being overwritten with this as well.
The ad units themselves look extremely similar to regular AdSense ad units, complete with the “Ads by Google”, which has replaced the “Ads by Goooooogle” which appears on the majority of regular publisher sites. And looking at the screenshots available at techshout, it appears that it even utilizes the site’s own ad unit color theme when it overrides the ads with their own.
More details should emerge over the next few days, particularly how widespread this threat actually is, or if it is a more isolated threat infecting few users. And a note to surfers that if you see types of ads (such as adult ads) appearing in AdSense ad units – that are even branded as Ads by Google – that you could be a victim of this malicious software and that Google isn’t actually serving up these types of ads to you.