This was bound to happen.
This morning, Online Media Daily reported the existence of a new Trojan Horse exploit that replaces Google Ads displayed in a user's browser with ads from some other source. Needless to say, advertisers who rely on AdWords are concerned.
At Profit Rank, we think this is certainly a development that bears watching... but we anticipate that the actual effect of this exploit will be insignificantly small.
In the IT world, a Trojan Horse ("trojan," for short) is a program that gets into a user's computer by promising to do one thing, but then winds up doing something completely different. An example that happens all the time is the downloadable game that—when the user installs it—also installs software that tracks the user's activities and displays pop-up ads on the user's machine.
Here are a few key aspects of trojans:
- They aren't viruses. To use the disease metaphor, viruses are accidentally spread by contact among users (e-mail and such). The only way to get a trojan is by installing software acquired from a risky location. It's like food poisoning: stay out of sketchy eateries and you're a lot less likely to get it.
- They're complicated. Unlike a virus, which has to be pretty small (and thus simple) to slip past a computer's defenses, a trojan rides inside a big piece of software. A trojan often has more bells and whistles than the program it rode into the front door.
- They're insidious. Because they ride along with a program explicitly installed by the user, trojans often simply bypass a lot of the security measures designed to keep malware out of a machine. It's like the old movie-house vampire legend: they can't come into your house unless you invite them in... but once they're in, they're IN.
- They're dangerous. Viruses emphasize transmission over function... if a virus isn't sufficiently communicable, it'll die out. Trojans are harder to catch, but are VERY functional. They hide in your machine and do stuff. And, even though their slow transmission produces an incentive not to harm the host, most trojan programmers aren't exactly careful, either. Like any sloppily-designed piece of software, a trojan has the potential to produce all sorts of unintended negative consequences in a user's machine... particularly since trojans remain covert by bypassing the very operating-system services that are designed to prevent unintended consequences in the first place.
That's all very bad stuff. In the case under discussion, what the trojan does is to wait around for the user's browser to load a web page that contains a Google AdSense script, which displays AdWords ads. When that happens, the trojan reaches in and alters the AdSense script to point to a different server... which serves up content that looks just like an AdWords ad unit, but puts money in the author's pocket.
It's a slick approach, but one that's ultimately doomed. Here's why:
- Google is a behemoth with a market cap worth almost a quarter of a TRILLION dollars... and AdWords is a major piece of their bread & butter. According to the OMD article, Google isn't talking about the new trojan, but you can bet they're all over the problem with NO expense spared.
- In order to accomplish its function, this trojan HAS to expose itself. There are easily a dozen straightforward ways an anti-virus program—like Norton Antivirus or Windows Defender—could detect its existence and stop it in its tracks.
- Remember, trojans don't spread from user to user. The only way to catch this bug is by engaging in lots of risky behavior on sketchy websites. The demographic that does most of that—kids—may be a lucrative one, but the same behavior also opens the door to lots of other bugs that will effectively destroy a machine in short order. Which also destroys the trojan... and more or less guarantees a prophylactic anti-virus installation when the system is rebuilt.
Don't get me wrong. The creator of Trojan.Qhost.WU may have made a LOT of money and have laughed all the way to the bank. But in terms of the overall AdWords spend, that number will be vanishingly small... and when this hole gets closed, it's going to be closed so tight that NOBODY else is going to get in.
The bottom line: by the time the OMD article went to press, this issue was almost certainly well on its way to the dustbin of hacker history.