Crafty little redirect used by malware

Filed Under: Malware, SophosLabs

As discussed previously, redirection - the ability to guide/control user traffic - plays a critical role in today's malware [1]. In this post I will describe a crafty way of redirecting users from a web page. Not new by any means, but seen again recently in the distribution of fake alert malware.

Our favourite-fake-alert-attackers (tm) have uploaded a whole series of malicious web pages packed with enticing keywords intended to catch user traffic. Numerous domains have been used, including some that were hosted on AOL servers [2]. Many of the pages follow standard templates, so are visually very similar:

[Keyword-stuff lure page]

Anyone browsing these pages is rapidly redirected to a fake alert malware distribution site. But looking at the source for the page, the cause for the redirect was not immediately obvious. All became clearer after analysing one of the scripts embedded in the page, a snippet of which is shown below.

redc-snippet.png

Request for what looks to be an image file, but passing the response immediately to the JavaScript engine via eval()? Mmm... Suspicion is justified if you look at the contents of the need2go.png 'image' file:

[Capture of need2go.png request]

Note the contents of this 'image' file:

location.href='http://[evil_site]'

Quite a simple little trick, but does its job. Redirects the victim to the evil site, from where they are '302 redirected' [3] to the fake alert distribution site.

redc-capture2.png

From here on, it is a case of familiar Antivirus 2009 territory.

redc-alert.png

redc-alert2.png

redc-scan.png

Thankfully, the redirection script is detected as Troj/JSRedir-C and the fake alert malware is being proactively detected as Mal/EncPk-CZ.

You might like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Fraser is one of the Principal Virus Researchers in SophosLabs. He has been working for Sophos since 2006, and his main interest is in web related threats.