A new Trojan has been discovered in an unlikely place: Google ads. According to BitDefender, the Trojan is actively hijacking Google text ads and replacing them with ads from a different provider.

BitDefender, which named the threat Relevant Products/Services Trojan.Qhost.WU, said the Trojan modifies the infected computer's hosts file, which controls domain mappings. The Trojan damages both users and webmasters because it takes away viewers and thus a possible money source from Web sites, BitDefender virus analyst Attila-Mihaly Balazs said in a statement.

These days, ads may not be such an unlikely place to find Trojans. In fact, according to the Q1 2007 Web Trends Security Report published by Finjan, a computer security Relevant Products/Services company, some 80 percent of malicious code now comes from online ads.

Attacks on Ad Networks Common

The proof is in the incidents. Beyond the Google-targeted Trojan, Danish media company sites have reportedly been inadvertently serving ads with malicious content this week. And last month, DoubleClick was serving ads that installed Trojan software on victims' computers. Earlier, in October, malicious hackers targeted RealPlayer software, exploiting it through malware embedded in advertisements.

"Certainly using advertisements -- and banner ads in particular -- to distribute malicious code is not new. We've seen it become more and more common over the past year or so," said Oliver Friedrichs, director of Symantec's Security Response. Friedrichs recalled another recent attack Relevant Products/Services in which ad syndicator 24/7 Real Media was compromised. Its ads were poisoned with a Trojan downloader.

"Simply by compromising one system on the ad syndicator's network Relevant Products/Services, an attacker can distribute his malicious code to many thousands of Web sites and potentially the many millions of users who are visiting those Web sites," Friedrichs said.

Web Site Reputations Don't Protect

Symantec said it expects these sorts of ad-based attacks to continue in 2008. The simplicity and ease by which one person can deploy Relevant Products/Services malicious code to many millions of users provides plenty of incentive for attackers to continue to pursue this strategy. Some malicious attackers purchase banner ad space and modify the ad to link to malicious code, Friedrichs said, while other times they go after ad syndication systems.

Web site reputation and using blacklists and other technologies to block known malicious sites is ineffective against ad-oriented attacks because consumers are visiting legitimate Web sites, Friedrichs said, including social media sites, e-commerce sites, and auction sites.

"In the past you would have been safe by avoiding the seedier sides of the Internet," Friedrichs said. "That's not enough anymore. You need to have not only antivirus software to protect yourself today, but also browser protection Relevant Products/Services that prevents these types of Trojans from being installed on your computer."

Google was not immediately available for comment.