WebProNews

A nefarious Trojan file that replaces Google's contextual text advertising with ads from a different provider could sneak into an unprotected machine.

The Trojan, identified by security software firm BitDefender as Trojan.Qhost.WU, goes after a target favored by many malware-passing criminals - the local hosts file.

By entering a line in the hosts file that redirects requests for page2.googlesyndication.com to a different IP address, BitDefender said the attacker can then deliver ads from that remote server in place of the ones that usually appear from Google.

Since browsers check the hosts file on the local machine first before going out to the Internet to find a match, the criminals passing the Trojan could send requests for the legitimate Google site to a fake one that dumps more malware on the visiting PC.

As a BitDefender analyst indicated, the Trojan in its current form deprives Google, and the sites that would normally display its advertising, from the ad views and revenue they would normally enjoy.

Similar hijacking caused a Canadian car auction winner to wire money to a fake seller. The buyer did not realize he had been victimized until after making payment; the car did not arrive.