Google Sponsored Links Offer Free Software And Install Malware
Researchers from Websense are reporting ads in Google that install rogue software that secretly installs malware on the PCs of its users. Last week Websense found a download site offering the compression utility Winrar, one of the most popular compression utilities, bound with malware.
When it is time to find and download a copy of an application, Google is often used to help locate a download site. Recent Google searches for Winrar turned up sponsored links that offer a “spyware free” copy. Google users unfortunate enough to download and install that software are soon exposed to a program that makes changes to their PC’s hosts file. The installer also drops a malicious file named explore.exe in the Windows system32 folder, and then runs the executable. The malicious file is associated with the icon used by Winrar SFX archives, and it binds to the system’s start-up. From then on, every time the users try to visit Google, Yahoo, and other popular sites, they are instead sent to an impostor site under the control of the attackers.
After installing the infected program, users are interrupted with message boxes at one minute intervals. Thinking that the system has been infected, and irritated at the constant interruption, they might next search for information about the infection using the text that appears in the pop-up message. Finding legitimate forums discussing this infection, they will find confirmation that they are infected. The malware itself offers a fake remedy in the form of a pointer to a fake site. This makes this scam very similar to ransomware techniques.
The malicious Winrar download site doesn’t use techniques such as search engine cache poisoning to get to the top results in Google. Instead, it uses Google’s advertising services directly. Clicking on the link redirects the user to a spoofed CNET Download.com site which offers to download a fake infected copy of Winrar.
The operation is another testament to the resourcefulness of those running rogue software scams. Rather than relying on zero-day vulnerabilities or hard-to-execute website hijackings, they often find it easier to snare their victims through legitimate ads placed on Google or elsewhere.
Websense, which first witnessed the scam last week, said the malicious Google links were still available when it posted this report on Sunday. A Google spokesman said the company is in the process of removing the offending sites from its ad network. “Google is committed to ensuring the safety and security of our users and our advertisers,” he said.
More on CyberInsecure:
Posts
Leave a Reply
Comments with unsolicited links to other resources will be marked as spam. DO NOT leave links in comments. Please leave your real email, it wont be published.