Google Ads being Hijacked

A new Trojan that replaces Google text ads with ads from different providers has been spotted by BitDefender.

This malware uses the “hosts” file (located in the “%WINDIR%\System32\drivers\etc” directory) to redirect the initial query to the Google Adsense servers to a malicious host. This file is used as a first step in the name / IP translation process and if an entry is located in this file, the domain name server is not queried. The malware creates an entry redirecting pagead2.googlesyndication.com to a rogue server.

This server, rather than displaying advertisements from Google, display advertisements from a third party services. This damages both users (because the advertisements and/or the linked sites may contain malicious code - a very likely situation, given that they are promoted using malware in the first place) and webmasters (because they take away viewers and thus possible money sources from their websites).

To check if you are affected, you should issue the following command (from the command line or from Start -> Run):

ping -t pagead2.googlesyndication.com

The response should look similar to this:

Pinging pagead.l.google.com [6x.xxx.xxx.xxx] with 32 bytes of data:

where the x’s represent digits. If you are not infected, the first digit will be a 6 (as in the example). If you are infected, the first digit will be a 9.