PandaLabs has discovered a worm that imitates Google’s homepage, retrieves search results the same way, but changes the sponsored links to the sites of the worm author’s choosing. Can you say, “evil genius,” boys and girls? I knew you could.
The worm is called P2Load.A, a kind of malware that spreads via P2P networks Shareaza and Imesh. The worm copies itself to the shared directory of the networks as an executable file called “Knights of the Old Republic 2.”
When the .exe file is run, an error message displays saying the file doesn’t exist and offers a download option. Once downloaded, the computer is infected and the worm modifies the start page, showing advertising, and spoofs Google. It looks like Google, runs like Google, but changes the sponsored search results.
This is done by modifying the HOSTS file on computers to redirect from Google to a counterfeit Google page, which is hosted by a server in Germany. The page is an exact copy and supports the same 17 languages of Google. It even allows for misspellings like “goggle” or “googel.”
“The creator of this worm has taken advantage of the importance of a company appearing among the first few links in the search results of an Internet browser,” explains Luis Corrons, director of PandaLabs. “Its aims are none other than to increase visits to the pages linked by the creator of this malware or earn an income from companies that want to appear in the first few results in computer where the identity of Google has been spoofed: in both cases, the motivation of the author of this malware is purely financial.”
PandaLabs has alerted both the ISP hosting the page and Google to problem.