Crafty little redirect used by malware

As discussed previously, redirection – the ability to guide/control user traffic – plays a critical role in today’s malware [1]. In this post I will describe a crafty way of redirecting users from a web page. Not new by any means, but seen again recently in the distribution of fake alert malware.

Our favourite-fake-alert-attackers ™ have uploaded a whole series of malicious web pages packed with enticing keywords intended to catch user traffic. Numerous domains have been used, including some that were hosted on AOL servers [2]. Many of the pages follow standard templates, so are visually very similar:

[Keyword-stuff lure page]

Anyone browsing these pages is rapidly redirected to a fake alert malware distribution site. But looking at the source for the page, the cause for the redirect was not immediately obvious. All became clearer after analysing one of the scripts embedded in the page, a snippet of which is shown below.


Request for what looks to be an image file, but passing the response immediately to the JavaScript engine via eval()? Mmm… Suspicion is justified if you look at the contents of the need2go.png ‘image’ file:

[Capture of need2go.png request]

Note the contents of this ‘image’ file:


Quite a simple little trick, but does its job. Redirects the victim to the evil site, from where they are ‘302 redirected’ [3] to the fake alert distribution site.


From here on, it is a case of familiar Antivirus 2009 territory.




Thankfully, the redirection script is detected as Troj/JSRedir-C and the fake alert malware is being proactively detected as Mal/EncPk-CZ.