As discussed previously, redirection – the ability to guide/control user traffic – plays a critical role in today’s malware . In this post I will describe a crafty way of redirecting users from a web page. Not new by any means, but seen again recently in the distribution of fake alert malware.
Our favourite-fake-alert-attackers ™ have uploaded a whole series of malicious web pages packed with enticing keywords intended to catch user traffic. Numerous domains have been used, including some that were hosted on AOL servers . Many of the pages follow standard templates, so are visually very similar:
Anyone browsing these pages is rapidly redirected to a fake alert malware distribution site. But looking at the source for the page, the cause for the redirect was not immediately obvious. All became clearer after analysing one of the scripts embedded in the page, a snippet of which is shown below.
eval()? Mmm… Suspicion is justified if you look at the contents of the
need2go.png ‘image’ file:
Note the contents of this ‘image’ file:
Quite a simple little trick, but does its job. Redirects the victim to the evil site, from where they are ‘302 redirected’  to the fake alert distribution site.
From here on, it is a case of familiar Antivirus 2009 territory.