Threat Research

Chameleon redirectors

Jiří Sejtko, 25 June 2009

Chameleon redirectors

Infections inserted into valid websites are often an iframe/script tag itself, sometimes the simple encryption functions are used and sometimes very complex algorithms are used to hide the redirection process. But all these methods have the same objective - to redirect users to malware distribution websites hosting various exploit packs. There are also infections that are trying to imitate well-known and often used services - mostly Google related services – with Google Analytics being number one. It started with small changes in the urls used by these services, for example "analytics" -> "analitics" and so on. In this article I will describe two new infections that imitate well-known Google service in more complex manner, which at first look seem to be legitimate.

First, I will show the original code used for Google Analytics - the code is shown in the next picture.


JS:Redirector-T [Trj]

This detection was released last week on Tuesday - June 16, 2009. This is a very successful imitation of the original code for Google Analytics. The following image shows the code of the infection.


The fundamental difference is shown in the green rectangle. Attribute 'sr?’ does not exist and even if it is part of the resulting tag it is ignored by the browser. The real source attribute is hidden. It is shown using red arrows – so you can see it is encrypted using simple replace function.

Although our detection is more than a week old, avast! is still the only antivirus that can detect it (GData uses avast! as one of its engines). The following picture is taken from Virustotal.


Online VT report:

HTML:IFrame-HM [Trj]

This is actual threat - the detection has been released today in last VPS update – June 25, 2009. Imitation is not as good as in the previous case, but there are elements and keywords taken from Google Analytics too. The following image shows the infection. Labels indicate the sections of the code.


And again, avast! is the only antivirus who protect you from this threat. Next image is taken from virustotal.


And finally online VT report: