Hey guys very interesting

[Kayrac]

So i been busy lately, but i came around to look around a bit today and i came acrost a thread at dslreports, that i don't understand at all

Basically it involves a user looking for 'davieshardware' which is located at davieshardware.com

He used google, and when visiting davies hardware through google he gets redirected to a rogue antivirus website

Now a few other people did a little research before i saw this and they came acrost the fact that visiting davieshardware.com directly loads the regular website, but if you spoof the referrer to be google.com or yahoo.com or msn.com it redirects you to the malicious website(basically if you come from a search engine your screwed)

Now i decided to take a peek at it but i can't find out 'exactly' whats causing it, the only thing that stands out is this

Code: [Select]

<script language="JavaScript" type="text/JavaScript">
<!--
function MM_preloadImages() { //v3.0
  var d=document; if(d.images){ if(!d.MM_p) d.MM_p=new Array();
    var i,j=d.MM_p.length,a=MM_preloadImages.arguments; for(i=0; i<a.length; i++)
    if (a[i].indexOf("#")!=0){ d.MM_p[j]=new Image; d.MM_p[j++].src=a[i];}}
}

function MM_swapImgRestore() { //v3.0
  var i,x,a=document.MM_sr; for(i=0;a&&i<a.length&&(x=a[i])&&x.oSrc;i++) x.src=x.oSrc;
}

function MM_findObj(n, d) { //v4.01
  var p,i,x;  if(!d) d=document; if((p=n.indexOf("?"))>0&&parent.frames.length) {
    d=parent.frames[n.substring(p+1)].document; n=n.substring(0,p);}
  if(!(x=d[n])&&d.all) x=d.all[n]; for (i=0;!x&&i<d.forms.length;i++) x=d.forms[i][n];
  for(i=0;!x&&d.layers&&i<d.layers.length;i++) x=MM_findObj(n,d.layers[i].document);
  if(!x && d.getElementById) x=d.getElementById(n); return x;
}

function MM_swapImage() { //v3.0
  var i,j=0,x,a=MM_swapImage.arguments; document.MM_sr=new Array; for(i=0;i<(a.length-2);i+=3)
   if ((x=MM_findObj(a[i]))!=null){document.MM_sr[j++]=x; if(!x.oSrc) x.oSrc=x.src; x.src=a[i+2];}
}
//-->
</script>
but i can't make sense of it, is that whats causing it?

-Brian

[sowhat-x]

Googling for '/in.html?s=ipw2' reveals the trick...
http://www.google.com/search?hl=en&q=%2Fin.html%3Fs%3Dipw2

Specifically...
http://www.askdavetaylor.com/how_people_hack_apache_web_server_rewrite_rules.html
http://groups.google.com/group/Google_Webmaster_Help-Indexing/browse_thread/thread/5c88685d9ad23a76/0cd2cafd907a0380

And the malware links in question...
hxxp://87.248.180.90/in.html?s=ipw2
hxxp://soft-upgrade-network.com/antivirus.v.1.0.20586.exe

[SysAdMini]

The redirection has nothing to do with your posted script.
It's probably done by apache module mod_rewrite.


With referer www.google.com

Code: [Select]

HTTP/1.1 302 Found
Date: Mon, 08 Sep 2008 11:20:10 GMT
Content-Type: text/html; charset=iso-8859-1
Transfer-Encoding: chunked
Connection: keep-alive
Server: Apache
Location: http://87.248.180.90/in.html?s=ipw2

HTTP/1.1 302 Found
Date: Mon, 08 Sep 2008 11:23:23 GMT
Server: Apache/1.3.39 (Unix) PHP/5.2.5 with Suhosin-Patch
X-Powered-By: PHP/5.2.5
Set-Cookie: visited=1
Location: http://winxp-antivir-on-line-scan.com/1/?id=20586
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html

HTTP/1.1 200 OK
Date: Mon, 08 Sep 2008 11:20:12 GMT
Server: Apache/1.3.41 (Unix) PHP/5.2.6
X-Powered-By: PHP/5.2.6
Set-Cookie: PHPSESSID=63d3450e00bcffd8ddc9ef19d74473f7; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html


<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-2"><title>Windows Antivirus</title>
<script>var mw_texts = new Array();</script>
<script>var install_link = 'http://soft-upgrade-network.com/antivirus.v.1.0.20586.exe';</script>
<script language="javascript" src="images/brand_co.js"></script>
<script language="javascript" src="images/mouse_te.js"></script>
<link href="images/pre_load.css" rel="stylesheet" type="text/css">
 <script language=javascript>if(self.parent.frames.length!=0){self.parent.location=document.location}</script><script language=javascript>window.moveTo(0, 0); window.resizeTo(screen.availWidth, screen.availHeight);</script> <link href="images/window00.css" rel="stylesheet" type="text/css">
<link href="images/this_lan.css" rel="stylesheet" type="text/css">
<link href="images/translat.css" rel="stylesheet" type="text/css">
</head>
<body>

<div id="preloader"></div>
<script language="javascript" src="images/mouse_bl.js"></script>
<div class="mw_final_win" id="mw_results_window">
<a class="mw_final_res" href="javascript:install_begun();"></a>
</div>

<div class="mw_window" id="mw_main_win">
<div class="mw_win_body">
<!--plaz-->
<div class="mw_window_plaz">

<div class="mw_search_left_panel">
<a href="javascript:install_begun();" class="mw_security_panel"></a>
</div>
<!-- dfsdfsdfsdfsdfsdfsdf dsf sdf sdf sdf sdfd -->

<div class="mw_window_body">

<div id="mw_disk_c" class="mw_wi_disk mw_hd_disk"><span class="mw_name"><span class="local_c"></span></span><span id="mw_err_1" class="mw_error"><span class="hardw_error"></span></span></div>
<div id="mw_disk_d" class="mw_wi_disk mw_hd_disk"><span class="mw_name"><span class="local_d"></span></span><span id="mw_err_2" class="mw_error"><span class="hardw_error"></span></span></div>
<div id="mw_disk_dvd" class="mw_wi_disk mw_dvd_disk"><span class="mw_name"><span class="local_dvd"></span></span></div>
<div id="mw_disk_fldr" class="mw_wi_disk mw_folder_disk"><span class="mw_name"><span class="shared"></span></span><span id="mw_err_3" class="mw_error"><span class="sec_thr"></span></span></div>

<br><br><br><br><br><br><br><hr color="#CCCCCC" size="1"><br><br><br><br><br><br><hr color="#CCCCCC" size="1">

<div class="mw_disclaimer"><span class="secr_thr_fndd"></span></div>

<div class="mw_progress_bar">
<span class="mw_status" id="mw_status"></span>
<div class="pb_decor"><div class="decor_lp"></div><div class="decor_rp"></div><div id="mw_progress_bar"></div></div>
<A id="mw_cncl_but" class="mw_cancel" href="javascript:install_begun();"></A>
                                <div id="simulation_1"><span class="simulation_qts"></span></div>
</div><!-- dfsdfsdfsdfsdfsdfsdf dsf sdf sdf sdf sdfd -->
<div class="mw_display_filename">
<span class="mw_status"><span class="object"></span></span>
<span class="mw_filename" id="mw_file_name"></span>
</div>

<div class="mw_test_results" id="mw_inwin_results"><div class="mw_test_rez_decor"><div class="mw_res_rtc"></div>
<div class="mw_header_f_res"><span class="hrdw_n_sec"></span></div>
<a class="mw_remove_button" href="http://soft-upgrade-network.com/antivirus.v.1.0.20586.exe"></a>
<div class="mw_res_pads">
<span class="mw_res_hdr"><span class="hrdw_errors"></span></span>
<div class="mw_res_text"><span class="perfomance_usw"></span></div>
</div></div>

  </div>
</div>
<!--//plaz-->
</div>

</div>
</body>
<script language="javascript" src="images/unic_scr.js"></script>
<script language="javascript" src="images/text_con.js"></script>
<script language="javascript" src="images/file_nam.js"></script>
<script language="javascript" src="images/domFunct.js"></script>
<script language="javascript" src="images/startaft.js"></script>
</html>


Without referer

Code: [Select]

HTTP/1.1 200 OK
Date: Mon, 08 Sep 2008 11:28:19 GMT
Content-Type: text/html
Connection: keep-alive
Server: Apache
Last-Modified: Sun, 13 May 2007 13:13:30 GMT
ETag: "b48cb21a-255b-46470efa"
Accept-Ranges: bytes
Content-Length: 9563

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<title>Hudson Valley Commercial Hardware - Davies Hardware</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<link href="layout.css" rel="stylesheet" type="text/css">
<meta name="description" content="Supplier of commercial, industrial architectural and residential hardware.  Serving Dutchess and surrounding counties for over 100 years.  If we don't have it, you don't need it!">
<meta name="keywords" content="hardware,industrial hardware, commerical hardware,Davies Hardware,
  tools, power tools, hand tools, paint, electrical supplies, hinges, door closers,
shovels, rakes, picks, padlocks, caulking,taps,dies,drills,brooms,shovels,Milwaukee Tools,
Bosch Tools, Baldwin Hardware, 3M Product, Ace Hardware, Ridgid, Cooper Tools">
<script language="JavaScript" type="text/JavaScript">
<!--
function MM_preloadImages() { //v3.0
  var d=document; if(d.images){ if(!d.MM_p) d.MM_p=new Array();
    var i,j=d.MM_p.length,a=MM_preloadImages.arguments; for(i=0; i<a.length; i++)
    if (a[i].indexOf("#")!=0){ d.MM_p[j]=new Image; d.MM_p[j++].src=a[i];}}
}

function MM_swapImgRestore() { //v3.0
  var i,x,a=document.MM_sr; for(i=0;a&&i<a.length&&(x=a[i])&&x.oSrc;i++) x.src=x.oSrc;
}

function MM_findObj(n, d) { //v4.01
  var p,i,x;  if(!d) d=document; if((p=n.indexOf("?"))>0&&parent.frames.length) {
    d=parent.frames[n.substring(p+1)].document; n=n.substring(0,p);}
  if(!(x=d[n])&&d.all) x=d.all[n]; for (i=0;!x&&i<d.forms.length;i++) x=d.forms[i][n];
  for(i=0;!x&&d.layers&&i<d.layers.length;i++) x=MM_findObj(n,d.layers[i].document);
  if(!x && d.getElementById) x=d.getElementById(n); return x;
}

function MM_swapImage() { //v3.0
  var i,j=0,x,a=MM_swapImage.arguments; document.MM_sr=new Array; for(i=0;i<(a.length-2);i+=3)
   if ((x=MM_findObj(a[i]))!=null){document.MM_sr[j++]=x; if(!x.oSrc) x.oSrc=x.src; x.src=a[i+2];}
}
//-->
</script>
</head>
<body leftmargin=0 marginwidth=0 onLoad="MM_preloadImages('images/sales_off-over.gif','images/commercial_off-over.gif','images/gift_certificates_off-over.gif','images/contact_off-over.gif','images/architectural_on-over.gif','images/commercial_on-over.gif','images/industrial_off-over.gif','images/product_off-over.gif')">
<table width=760 border=0 align="center" cellpadding=0 cellspacing=0 bordercolor="#000000" class="blackborder">
  <!--DWLayoutTable-->
  <tr>
    <td width="408" height="151" valign="top"><table width="100%" border="0" cellpadding="0" cellspacing="0">
        <!--DWLayoutTable-->
        <tr>
          <td height="76" colspan=2 valign="top"><a href="index.html"><img src="images/index_01.gif" alt="Hudson Valley Industrial Hardware - Davies Hardware" width=203 height=76 border="0"></a></td>
          <td colspan=2 valign="top"><img src="images/index_02.gif" width=204 height=76 alt=""></td>
        </tr>
        <tr>
          <td width="102" height="75" valign="top"> <a href="architectural.html" onMouseOver="MM_swapImage('architectural_on','','images/architectural_on-over.gif',1)" onMouseOut="MM_swapImgRestore()"><img name="architectural_on" src="images/architectural_on.gif" width=102 height=75 border=0 alt="Architectural Hardware"></a></td>
          <td width="101" valign="top"> <a href="commercial.html"
onMouseOver="MM_swapImage('commercial_on','','images/commercial_on-over.gif',1)"
onMouseOut="MM_swapImgRestore()"><img name="commercial_on" src="images/commercial_on.gif" width=101 height=75 border=0 alt="Commercial Hardware"></a></td>
          <td width="103" valign="top"> <a href="industrial.html" onMouseOver="MM_swapImage('industrial_off','','images/industrial_off-over.gif',1)" onMouseOut="MM_swapImgRestore()"><img name="industrial_off" src="images/industrial_off.gif" width=102 height=75 border=0 alt=""></a></td>
          <td width="102" valign="top"> <a href="product.html" onMouseOver="MM_swapImage('product_off','','images/product_off-over.gif',1)" onMouseOut="MM_swapImgRestore()"><img name="product_off" src="images/product_off.gif" width=102 height=75 border=0 alt="Products Line"></a></td>
        </tr>
      </table></td>
    <td width="353" rowspan="2" valign="top"><table width="100%" border="0" cellpadding="0" cellspacing="0">
        <!--DWLayoutTable-->
        <tr>
          <td width="170" height="32" valign="top"> <a href="sales.html" onMouseOver="MM_swapImage('sales_off','','images/sales_off-over.gif',1)" onMouseOut="MM_swapImgRestore()"><img name="sales_off" src="images/sales_off.gif" width=170 height=32 border=0 alt=""></a></td>
          <td width="183" valign="top"> <a href="http://www.mapquest.com/directions/main.adp?2a=806+Main+Street&amp;2c=Poughkeepsie&amp;2s=NY&amp;2z=12603&amp;2y=US&amp;cid=lfddlink" target="_blank" onMouseOver="MM_swapImage('commercial_off','','images/commercial_off-over.gif',1)" onMouseOut="MM_swapImgRestore()"><img name="commercial_off" src="images/commercial_off.gif" width=183 height=32 border=0 alt=""></a></td>
        </tr>
        <tr>
          <td height="27" valign="top"> <a href="giftcertificates.html" onMouseOver="MM_swapImage('gift_certificates_off','','images/gift_certificates_off-over.gif',1)" onMouseOut="MM_swapImgRestore()"><img name="gift_certificates_off" src="images/gift_certificates_off.gif" width=170 height=27 border=0 alt=""></a></td>
          <td valign="top"> <a href="contactus.html" onMouseOver="MM_swapImage('contact_off','','images/contact_off-over.gif',1)" onMouseOut="MM_swapImgRestore()"><img name="contact_off" src="images/contact_off.gif" width=183 height=27 border=0 alt=""></a></td>
        </tr>
        <tr>
          <td height="17" colspan=2 valign="top"><img src="images/index_07.gif" width=353 height=17 alt=""></td>
        </tr>
        <tr>
          <td height="118" colspan=2 valign="top"><img src="images/index_12.jpg" width=353 height=118 alt=""></td>
        </tr>
        <tr>
          <td height="31" valign="top"> <img src="images/index_14.gif" width=170 height=31 alt=""></td>
          <td valign="top"> <img src="images/index_15.gif" width=183 height=31 alt=""></td>
        </tr>
      </table></td>
    <td width="4"></td>
  </tr>
  <tr>
    <td rowspan=2 valign="top" bgcolor="#FFFFFF"><div class="redbanner">&nbsp;</div>
      <h2>New Hours</h2>
      <p>We have expanded our  hours to meet our customers growing industrial hardware needs. <br>
        <br>
        Monday-Friday 7:30 a.m. - 5:30 p.m. <br>
      Saturday 8:00 - 4:00 p.m. </p>
      <h2>8,000 square feet, jam packed with all your commercial and industrial hardware needs!</h2>
      <p>All of us at Davies have taken pride in in serving the many Hudson Valley businesses and local tradesmen for the past 117 years. At Davies, you will find <strong><a href="product.html">top grade products</a></strong> and no long checkout lines. We will get you what you need and back to the job site in no time. </p>
      <h2>2007  Winner, &quot;Best of the Hudson Valley&quot;</h2>
      <p>Davies has been voted &quot;<strong>Best Hardware Store in the Hudson Valley</strong>&quot;. Stop in and see why!</p>
      <p>Come browse isle after isle of tens of thousands of hardware products. Enjoy the relaxed atmosphere of an old-fashioned hardware store combined with first-class customer service provided by experienced sales representatives Our customers keep coming back because they get exactly what they were looking for and the attention that they deserve. </p>
      <br>
      <p><img src="images/quote_1.gif" alt="Top Quality Industrial Hardware" width="386" height="100"></p>
      <p>&nbsp; </p>
      <h2>Gift Certificates</h2>
      <p>What do you get for the contractor, builder, artist, hobbyist or the handyman or woman who has everything? You get them a gift certificate to Davies Hardware. We are sure that they will find something for their toolbox that they don't have. </p>
      <p>Gift certificates are available for any denomination and good for up to 1-year from the date of purchase.</p>
      <p>&nbsp;</p></td>
    <td height="74"></td>
  </tr>
  <tr>
    <td height="596" align="center" valign="top" bgcolor="#F7F3F2"> <table border="0" align="center" cellpadding="5" cellspacing="5">
        <tr>
          <td align="left"><img src="images/1930.jpg" alt="1930s" width="213" height="117"></td>
        </tr>
        <tr>
          <td align="left"><img src="images/1950.jpg" alt="1950s" width="213" height="117"></td>
        </tr>
        <tr>
          <td align="left"><img src="images/today.jpg" alt="Today" width="252" height="129" border="0" usemap="#Map"></td>
        </tr>
        <tr>
          <td align="left"><div align="center"><img src="images/carhartt.jpg" width="195" height="227"><br>
            </div></td>
        </tr>
      </table>
      <p>&nbsp;</p></td>
    <td></td>
  </tr>
  <tr>
    <td height="76" colspan=2 valign="top" bgcolor="#CF1B23"><p align="center" class="whitetxt">&copy;Copyright 2006 Davies Hardware, Inc. 806 Main Street. Poughkeepsie, NY 12603<br>
        Phone: 845-452-6741 Fax: 845-452-8975 <br>
        Store Hours: Monday-Friday 7:30 am-6:00 pm Saturday 8:00 am-4:00 pm.<br>
        <a href="http://www.netadvantedge.com" target="_blank" class="whitetxt">A NetAdvantedge Web Site </a></p></td>
    <td></td>
  </tr>
</table>
<map name="Map">
  <area shape="rect" coords="147,94,249,124" href="history.html">
</map>
</body>
</html>



[Kayrac]

Man you guys are good , i gave your explinations links over at dslreports btw sowhat

Man you guys to good

Thanks
-Brian

[sowhat-x]

Lmao,it was nothing more than 2 minutes of googling...as SysAdMini described,
since the problem wasn't in the js,then the trick had to be on the server itself somehow...
No case Google/Yahoo themselves got hacked...and even more,both of them at the same time! 

[Kayrac]

Man i haven't done coding in so many years, and i'm trying to read that code to find out what it did, was giving me a damn headache

gotta get that 'thinking outside the box' thing back

-Brian

[sowhat-x]

From the same netblock as well...
hxxp://87.248.180.88/in.html?s=hg

[Kayrac]

Wanna know something funny? IE 8 beta 2 marks that download as being reported as malicious, however most av's miss it, maybe microsoft is getting ahead of the game here

-Brian

http://www.virustotal.com/analisis/87b8475c7822aa49e867a5ee29f93db4

[sowhat-x]

Under Firefox 3.01, 87.248.180.88 got blocked/reported as a known attack site,
not the same happened for 87.248.180.90 though... 

[Kayrac]

Better than nothing i suppose

Thanks again sowhat and sysadmini

[tjs]

I just had a look at the sample with SHA1 5a5cfc576eb664d46bc8378504b265aa329cd8e9. It's definitely malware. Cool to see that Microsoft is the only one detecting it.

TJS

[sowhat-x]

Lmao! 
What would be actually cool though,is if all major AV products detected it...

[tjs]

They'll catch up eventually..

[SysAdMini]

Some more AV vendors can detect it now.

http://www.virustotal.com/analisis/ef0f57adcd710e26dfb42f7be2ce2d53

[sowhat-x]

And here's something for Microsoft to catch up as well...  
hxxp://botnet.8800.org/down/bind.zip
http://www.virustotal.com/analisis/bdc0784741301b8ba43ea703a4c854c2

Quite funny kids actually - this made me wonder what they'll do when they reach the age of 18...
hxxp://botnet.8800.org/bt.htm