Malware-infected WinRAR distributed through Google AdWords

Malware-infected WinRAR distributed through Google AdWords

Summary: Scammers are at it again - taking advantage of Google sponsored ads for acquiring traffic in order to redirect it to malware-infected copies of legitimate software. win.

SHARE:
TOPICS: Security
12

Fake Download Malware WinrarScammers are at it again - taking advantage of Google sponsored ads for acquiring traffic in order to redirect it to malware-infected copies of legitimate software. win.rar GmbH is warning users of an ongoing fraudulent AdWords campaign pushing a malware-infected copy of WinRAR, the popular archiving application. Starting from the basic fact that, both, legitimate and malicious users can purchase their visibility, the fake WinRAR release is only the tip of the iceberg.

Let's take a peek at the campaign impersonating Download.com -- impersonation is a form of flattery -- and discuss a separate campaign promising to deliver free copies of the free in general, WinRAR and WinZip, managed by a Zango adware affiliate.

Zango Winzip Google AdWordsUpon searching for WinRAR, the bogus ad appears at the top of the search results, with the actual fake Download.com site located at dreamcentury .cn/winrar.htm. Upon execution, the fake WinRAR sets the foundation for the second part of the scam, since the affected users would be periodically redirected to rogue security software sites, urging them to take action and disinfect themselves.

Zango Winzip Google AdWordsWinRAR is also impersonated in another currently active AdWords campaign, next to WinZip, with the second campaign operated by Zango affiliate, a well known adware vendor. Zango's campaign is naturally not delivering any copies of WinRAR or WinZip, instead it's pushing a copy of their toolbar taking advantage of fraudulent practices.

The participants in Zango's affiliate network and the rogue security software one, are generating revenues based on the number of installations, with the affiliate model's high payout rates as the main incentive for the introduction of new tactics.  And whereas Google's AdWords seems to be part of their ad budget in this particular case, sponsored ads are only part of the (fraudulent) marketing mix, with blackhat search engine optimization tactics remaining the traffic acquisition tactic of choice.

Topic: Security

Dancho Danchev

About Dancho Danchev

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

12 comments
Log in or register to join the discussion
  • Time to use another search engine.

    Give those malware authors more work to get their goals accomplished.

    Or use 7zip. It has a RAR compressor in it so extraction isn't an issue.
    osreinstall
  • Just google searched it...

    Apparently google has already responded by disabling the ad's that normally display when searching for Winrar.
    JT82
    • Re: Just google searched it...

      It hasn't since the people behind it are taking advantage of full targeting potential of AdWords. So while it's visible to searchers of local Google's, it remains hidden from Google.com, depending on who they want to serve it to.

      The ads are both active at U.K's Google - google.co.uk
      ddanchev
  • The more the plumbing

    The easier it is to spring a leak
    Alan Smithie
  • Why does this surprise anybody?

    Fraudulent ads and scams have existed in "respectable" print media for eons. Google and other websites are just replacement media for newspapers and magazines in this respect; they don't actively qualify the products and services being advertised.

    Hopefully, they do pull ads when scams or fraudulent claims are reported to them. but just like newspapers, they can't revoke or "unpublish" some of the ad instances. They just do the best they can.

    I personally don't understand why people can't have a little sense when surfing the internet. We've had people bring laptops to us that were just crammed with malware and spyware, to the point of being unusable. Got a few people fired, too, because some of it came from surfing porn sites, which is a BIG no-no in our company.
    terry flores
  • I downloaded a macro making program

    The macro files that I made ended up being virus as per Panda and Trend Micro.
    BALTHOR
  • You mean it's not already a scam?

    I thought it was already a scam to force you to buy a compression GUI when 7zip offers better compression for free.
    CobraA1
    • 7Zip is good, true - but it does NOT pack RAR

      From http://www.7-zip.org/ - note the Unpacking only bit - right on the front page:
      Supported formats:
      Packing / unpacking: 7z, ZIP, GZIP, BZIP2 and TAR
      Unpacking only: ARJ, CAB, CHM, CPIO, DEB, DMG, HFS, ISO, LZH, LZMA, MSI, NSIS, RAR, RPM, UDF, WIM, XAR and Z.
      johnhaverysamuel
  • RE: Malware-infected WinRAR distributed through Google AdWords

    The US govt. needs to take Google to court if they're not immediately ending all known Malware ad word campaigns. A year in prison for Google's ceo ought to motivate them to be a bit more diligent!
    MooMooMooMooMoo
  • Just don't click on sponsored links

    Go for the links that are ranked by popularity, not the ones somebody paid to put at the top. That's been a rule of thumb for a long time - too bad many users haven't learned it.

    If people stopped suckering for the sponsored links, Google would have to take action in order to restore trust in them or advertisers would stop buying them.
    Greenknight_z
  • RE: Malware-infected WinRAR distributed through Google AdWords

    distributed that way from downloads.com as well

    Try IZARC
    jbristowe@...
  • RE: Malware-infected WinRAR distributed through Google AdWords

    Well done! Thank you very much for professional templates and community edition
    <a href="http://www.yuregininsesi.com">seslisohbet</a> <a href="http://www.yuregininsesi.com">seslichat</a>
    birumut