GNU GPL malware?: Troj/JSRedir-AK

Yesterday, one of our technology partners Yandex notified us of some new malware. They use Sophos to scan webpages for malicious content while they scan the Internet and often report new threats.

The malware in question, Troj/JSRedir-AK, is appended to legitimate JavaScript and tries to look legitimate by using a comment to fool web admins.

See the comment:


in the picture below.

The code is obfuscated the line:

document.createElement(‘s&!c&#^)r^#(!i)@p#&t&)&^’.replace(/\(|\)|&|@|\$|\^|\!|#/ig, ”))

deobfuscates to:


The next few lines of code do the redirection to a webpage in Russia with the following legitimate strings in its URL:

  • google-com-ar
  • ip138-com

I suspect that this code is part of a larger hack and if you find this code on your website please send us samples of other recently modified files.