Daily cyber threats and internet security news: network security, online safety and latest security alerts
December 16th, 2008

Google Sponsored Links Offer Free Software And Install Malware

Researchers from Websense are reporting ads in Google that install rogue software that secretly installs malware on the PCs of its users. Last week Websense found a download site offering the compression utility Winrar, one of the most popular compression utilities, bound with malware.

When it is time to find and download a copy of an application, Google is often used to help locate a download site. Recent Google searches for Winrar turned up sponsored links that offer a “spyware free” copy. Google users unfortunate enough to download and install that software are soon exposed to a program that makes changes to their PC’s hosts file. The installer also drops a malicious file named explore.exe in the Windows system32 folder, and then runs the executable. The malicious file is associated with the icon used by Winrar SFX archives, and it binds to the system’s start-up. From then on, every time the users try to visit Google, Yahoo, and other popular sites, they are instead sent to an impostor site under the control of the attackers.

After installing the infected program, users are interrupted with message boxes at one minute intervals. Thinking that the system has been infected, and irritated at the constant interruption, they might next search for information about the infection using the text that appears in the pop-up message. Finding legitimate forums discussing this infection, they will find confirmation that they are infected. The malware itself offers a fake remedy in the form of a pointer to a fake site. This makes this scam very similar to ransomware techniques.

The malicious Winrar download site doesn’t use techniques such as search engine cache poisoning to get to the top results in Google. Instead, it uses Google’s advertising services directly. Clicking on the link redirects the user to a spoofed CNET site which offers to download a fake infected copy of Winrar.

The operation is another testament to the resourcefulness of those running rogue software scams. Rather than relying on zero-day vulnerabilities or hard-to-execute website hijackings, they often find it easier to snare their victims through legitimate ads placed on Google or elsewhere.

Websense, which first witnessed the scam last week, said the malicious Google links were still available when it posted this report on Sunday. A Google spokesman said the company is in the process of removing the offending sites from its ad network. “Google is committed to ensuring the safety and security of our users and our advertisers,” he said.

Email, Bookmark or Share:
  • E-mail this story to a friend!
  • Digg
  • StumbleUpon
  • Reddit
  • Technorati
  • Slashdot
  • Propeller
  • Google
  • Live
  • YahooMyWeb
  • TwitThis
  • Facebook
  • LinkedIn

More on CyberInsecure:
  • Google Flooded With More Than A Million Of Open Redirect Links That Infect Users With Malware
  • Bogus LinkedIn Profiles Lead To Malware
  • Cross-Site Scripting Vulnerability On Helps Malware Spam Distributors
  • Twitter Users Hit Once Again, This Time With Rogue Anti-virus Scam
  • Google Code Project Abused By Spam And Malware

  • If you found this information useful, consider linking to it from your own website.
    Just copy and paste the code below into your website (Ctrl+C to copy)
    It will look like this: Google Sponsored Links Offer Free Software And Install Malware

    Leave a Reply

    Comments with unsolicited links to other resources will be marked as spam. DO NOT leave links in comments. Please leave your real email, it wont be published.

    To prove you’re a person (not a spam script), type the security word shown in the picture. Click on the picture to hear an audio file of the word.