BitDefender antivirus analysts detected a new trojan, which hijacks Google text advertisements, replacing them with ads from a different provider. The threat, which is identified by BitDefender as Trojan.Qhost.WU, modifies the infected computers’ Hosts file (a local storage for domain name / IP address mappings, which is consulted before domain name servers and is considered authoritative). The modified file contains a line redirecting the host
“page2.googlesyndication.com” which should point to an IP of the form 6x.xxx.xxx.xxx to a different address, of the form 9x.xxx.xxx.xxx, so that the infected machines’ browsers read ads from server at the replacement address rather than from Google. “This damages both users (because the advertisements and/or the linked sites may contain malicious code – a very likely situation, given that they are promoted using malware in the first place) and webmasters (because it takes away viewers and thus a possible money source from their websites)” declared virus analyst Attila-Mihaly Balazs for BitDefender.

No tag for this post.