Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Evil Google Ads SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Evil Google Ads

Robert sent us some nice analysis earlier today about some hostile ads he discovered at Google.  As best we can tell they are gone now, but here are his findings.

Searching for some free templates at google may bring you nasty things you wont have:

Have a look at the first advertising link ""

All files there (all the same) are detected as:
AntiVir 07.07.2007 TR/Spy.BZub.JD.1
F-Secure 6.70.13260.0 07.07.2007 W32/Malware
Ikarus T3.1.1.8 07.07.2007 Trojan-Spy.Win32.Goldun.lw
Kaspersky 07.07.2007 Trojan-Spy.Win32.BZub.jd
Microsoft 1.2704 07.07.2007 TrojanDropper:Win32/Small.OT
Norman 5.80.02 07.06.2007 W32/Malware
Sophos 4.19.0 07.06.2007 Mal/Binder-C
Webwasher-Gateway 6.0.1 07.07.2007 Trojan.Spy.BZub.JD.1
After executing, the malware drops a file named:
It hooks as a BHO under CLSID:
To do so it looks for activated Brwoser extensions:
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main 
"Enable Browser Extensions" = yes
It also ensure that the IE could bypass Windows Firewall:

\List "C:\Program Files\Internet Explorer\IEXPLORE.EXE" = C:\Program
Files\Internet Explorer\IEXPLORE.EXE:*:Enabled:Internet Explorer
The Keylogger function checks for banking logins end if recognized it logs this information and send it to a server.

Thanks, Robert!  Great job of analysis.

Marcus H. Sachs
Director, SANS Internet Storm Center


301 Posts
ISC Handler
Jul 8th 2007

Sign Up for Free or Log In to start participating in the conversation!