New Trojan Offers Google Update

A new Trojan poses as a Google toolbar update, but it's really a botnet trap

If you get an email from Google and follow its directions to update your toolbar, congratulations: You're now a bot.

The latest Google-related exploit, found by SurfControl, poses as a message from Google that takes users to a Website that's a replica of the popular search engine. Once you download the "update," however, you're "punk'd" by a Trojan into joining a spam botnet.

A bit of malformed code in the Trojan has kept it from spreading much, says Susan Larson, vice president of global threat analysis and research for SurfControl. The security company has seen just a handful of separate instances of the threat so far.

"We saw an executable that was malformed and wasn't operating properly," says Larson, who expects the Trojan to re-emerge in other iterations after the code is repaired. "And this code has been seen before."

Security experts say the clever look of this exploit may be new, but the attack mode is common. "This is simply a new variation of an old technique. Any semi-creative attacker is going to come up with a handful of new ways to do old things, like getting a bot installed on a PC," says Pete Lindstrom, research director for Spire Security. "We need to be catching this at the email gateway, not relying on any individual user."

This isn't the first time attackers have masqueraded as Google. Last year, a phishing email posing as a message from Google also offered toolbar updates via a link that loaded malware onto the user's system. Unlike the new bug, however, that exploit didn't direct the user to a fake Google Website, Larson says.

— Kelly Jackson Higgins, Senior Editor, Dark Reading

  • SurfControl plc
  • Google (Nasdaq: GOOG)