It appears even in "Remove rogue antivirus" query results pages

Aug 25, 2008 14:24 GMT  ·  By

Links to a rogue security solution, XP Antivirus 2008, are being displayed by Google's AdSense. As we previously reported, AdSense serves malvertizements that make the most unwary of users follow a link and download a piece of software that has nothing to do with its claimed purpose.

The rogue antivirus, instead of protecting the computer from further threats, triggers pop-ups, annoying warnings and offers false scan results in order to convince people to go to other websites that sell "specialized" products. At its core, malvertizing has the purpose to convince users to acquire something. Until they become conscious of the fact that they need to remove the rogue security product, their machines are exposed to the threat of encountering several problems, such as unsolicited changes to the system, the reconfiguration of some browser features, the installment of add-ons that only bring more pop-ups and malvertizings, etc.

XP Antivirus 2008 has been described by the Sunbelt Malware Research Labs as presenting an elevated risk. Besides all the abovementioned effects, an elevated risk software may also "collect, transmit, and share potentially sensitive data without adequate notice and consent". The rogue anti-spyware might as well do that to the affected machines, as it is installed via a trojan commonly known under the name of Zlob.

This trojan allows attackers to remotely control the affected computers. Zlob starts every time Windows is loaded and it can affect the entire computer, as the hijacker has control over all the processes in the victim machine. The attacker can either download additional malware or simply use the modifications XP Antivirus 2008 has already made within the system to perfectly control it.

The advertising for the forged antivirus is even displayed on pages which show the results to queries where people ask details on how the rogue product can be removed, which raises more questions related to the security level of Google's advertising system.