homepage Welcome to WebmasterWorld Guest from 54.167.10.244
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member
Home / Forums Index / Google / Google AdWords
Forum Library, Charter, Moderators: buckworks & eWhisper & skibum

Google AdWords Forum

    
Trojan Will Hijack Google Ads
engine




msg:3531246
 4:44 pm on Dec 19, 2007 (gmt 0)

A new Trojan that hijacks Google text ads and replaces them with ads from a different provider has been picked up by BitDefender.

The antivirus company has identified the threat as Trojan.Qhost.WU which modifies the infected computer's host file, a local storage for domain name/IP address mappings.

The infected machine's browser then reads advertisements from a server at the replacement address rather than from Google.

Trojan Will Hijack Google Ads [vnunet.com]

 

vincevincevince




msg:3531271
 4:58 pm on Dec 19, 2007 (gmt 0)

I've been trying to find out the IP address or addresses it adds to the HOSTS file. Does anyone have more useful information about this as it would be good to block as a sysadmin. All we're told is that it starts with a 9.

Would be interesting to find out what ads are running through that false IP, whether Google ads but for another account, or something else.

Perhaps this thread should be in Google Adsense not Google Adwords as it is the former which will be negatively affected to the great extent

LifeinAsia




msg:3531328
 6:00 pm on Dec 19, 2007 (gmt 0)

This isn't new- I actually had something like this on one of my computers months ago. I can't remember if I posted somethign about it, but others did last year: [webmasterworld.com...]

justageek




msg:3531415
 7:49 pm on Dec 19, 2007 (gmt 0)

The one I saw last year '[webmasterworld.com ]' did things a bit different than this one and I'm guessing we'll see more and more of these type things happening to Google.

I have to wonder how much Google loses in revenue given the fact that this stuff has been around for a while now. I also have to wonder what would happen if a mass infection really happened? All of Google revenue grinds to a halt? Would you be able to sell off stock fast enough before it tanked?

JAG

potentialgeek




msg:3531775
 7:12 am on Dec 20, 2007 (gmt 0)

Google needs to issue a public statement on this. And sue the living daylights out of the perpetrators!

Anyone get a screen capture of the replacement ads? That would really put a bee in Google's bonnet!

p/g

justageek




msg:3532001
 3:03 pm on Dec 20, 2007 (gmt 0)

And sue the living daylights out of the perpetrators!

Sue for what exactly? One persons virus is another persons tool. In my case I installed the toolbar that bypasses the ads and as far as I know I'm allowed to control what I see on my screen after it gets to me.

I do not agree with scumware, viruses and such that is installed without permission though. The folks who do that are indeed lower than whale crap.

JAG

adrianTNT




msg:3532222
 7:52 pm on Dec 20, 2007 (gmt 0)

I also seen (had) something similar a few months ago, it was easy to remove, it appeared in my IE under "ad-dons" and I just disabled it then deleted the file just to make sure.

It didn't cause any other problems that I noticed, it just replaced the Google ads with some others.

Avast 4 home edition didn't detect it at that time.

I started to check my browser when I saw on my own sites ads that I knew Google would not approve (vibrating errors kind of ads: "you won", "visitor number zzz", etc.).

Somebody probably became really rich with this smarty virus :)

8kobe




msg:3532235
 8:05 pm on Dec 20, 2007 (gmt 0)

What google should do is clearly state in their TOS that no one can replace another id with their own for any reason. Then people that do this wouldn't get any money. If they don't get any money then they will in the long run stop doing it. Plus it would open the people doing it to lawsuits. Sounds like Scumware to me.

adrianTNT




msg:3532259
 8:44 pm on Dec 20, 2007 (gmt 0)

Actually, the one I had and as I see its the same in the article... replaces the ads with different ads from another ads provider. It doesn't replace teh google publisher id. Right?!
They just had the exact size but there ware not Google ads.

brakkar




msg:3532272
 9:02 pm on Dec 20, 2007 (gmt 0)

I was infected by this virus back in 2006, over a year ago.

Read my whole story here:
[forum.kaspersky.com...]

I tried everything, when someone in the kaspersky forum finally asked me to publish my host file and identified that it was the cause.

I even contacted google adsense, they confirmed I had a problem, said I was infected by "something" but didn't care much to investigate about it, although this type of bug could have cost them millions of dollars with lots of people seing other ads.

Brakkar

adrianTNT




msg:3532295
 9:24 pm on Dec 20, 2007 (gmt 0)

Brakkar, do you know if Kaspersky finds it as a virus *now?

justageek




msg:3532305
 9:35 pm on Dec 20, 2007 (gmt 0)

I even contacted google adsense, they confirmed I had a problem, said I was infected by "something" but didn't care much to investigate about it, although this type of bug could have cost them millions of dollars with lots of people seing other ads.

They'd lose much more if the public knew how much their revenue stream is at risk from something as simple as a kidde hack. Perhaps it was safer to ignore and not admit the severity then but maybe it'll be addressed soon.

If a major network, that understood this, picked this thread up today and put it on the evening news the stock might be worth half what it is right now.

JAG

Rehan




msg:3532316
 9:49 pm on Dec 20, 2007 (gmt 0)

vince^3 wrote:
I've been trying to find out the IP address or addresses it adds to the HOSTS file. Does anyone have more useful information about this as it would be good to block as a sysadmin. All we're told is that it starts with a 9.

I'm assuming the IP shouldn't be posted publicly in the forum, so I sent you a sticky with some info.

brakkar




msg:3532322
 9:58 pm on Dec 20, 2007 (gmt 0)

Adrian: Kaspersky 6 is supposed to block unauthorized modifications of hosts files.

You can find the IP in my message over at the kaspersky forum.

monkeythumpa




msg:3533087
 10:48 pm on Dec 21, 2007 (gmt 0)

How do I advertise on this new network?

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Google / Google AdWords
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved