According to Patrick Hinojosa, the chief technology officer at Panda, the worm could potentially earn a lot of money for sites embedded in the fake search results.
“This is a business; this is organized crime,” Hinojosa said. “People are making money on it.”
According to the latest studies from Panda, the “P2Load.a” worm modifies the Windows HOSTS file. When an infected user types in “Google.com,” or even a misspelled variation of the search engines in question, they are instead sent to a phony site originating in Germany. The program also installs a fake Google toolbar in a user’s browser.
Luis Corrons, director of Panda’s research facility, said in a statement that the worm focuses on giving sites illegal placement at the top of search results.
“The creator of this worm has taken advantage of the importance of a company appearing among the first few links in the search results of an Internet browser,” Corrons said. “Its aims are none other than to increase visits to the pages linked by the creator of this malware or earn an income from companies that want to appear in the first few results in computer where the identity of [a search engine] has been spoofed. In both case, the motivation of the author of this malware is purely financial.”
Hinojoa said the infected program that houses the worm is called PremiumSearch. The company has yet to determine how many machines have been infected with the worm, but have notified federal authorities in both the United States and in Germany, as well as the ISPs that originally hosted the program.
Representatives at the leading search engines have yet to comment on the worm.
This is not the first time Google has been targeted by hackers. In March a DNS cache infection sent Google traffic to hacker sites, just days before it was discovered that several variations of the Google.com web address sent users to fake sites hosted in Russia. Once on these sites, a surfer’s computer was infected with software designed to steal bank statements and other valuable personal data.