Malware Redirection with a Delay

You visit a site and it looks good and clean. However, if you keep the page open, after maybe 20-30 seconds, you get redirected to a casino or pharma affiliate page. What is going on?

We call these delayed redirections and they are becoming more prevalent these days. Instead of injecting malware, or performing redirections via javascript, the attackers are adding the refresh option to the HTTP headers. Similar to the following:

HTTP/1.1 200 OK
Date: Tue, 29 Jan 2013 17:18:02 GMT
Server: Apache
Refresh: 25; url="httx://www.dodonet.biz"


This tells the browser to redirect to a malicious domain after 25 seconds. Note that the domain and the refresh time varies per infection. These are some of the other domains we are seeing on this type of attack:

http://www.dodonet.biz

http://www.dodd.biz

http://bluehost-dz.com/bord

http://bluehost-dz.com/done

.

The infection

This infection seems to be mostly targeted at outdated Joomla sites (running < 1.5.25), but as it becomes more common the attackers will likely start to use it against all CMS applications. If you suspect your site may be compromised with this infection, you can verify it on our free scannerSiteCheck.

You can also search your PHP code for a similar entry adding the refresh header (be aware that it might be encoded using base64 or hex):

$x0b="header"; $x0b("Refresh:"25;"url=\"httx://bluehost-dz.com/bord\"");

It also confuses many types of malware/security scanners because most of them will not wait 20+ seconds to see what happens. It’s probably why we’re seeing this big change in attacks.

If you have any question or comments, let us know.

Scan your website for free:
About Daniel Cid

Daniel is the Founder & CTO of Sucuri and also the founder of the open source project - OSSEC HIDS. His interests range from intrusion detection, log analysis (log-based intrusion detection), web-based malware research and secure development.

You can find more about Daniel at his site dcid.me or on Twitter: @danielcid

  • Tom

    Thanks for sharing that’s what happend to our site.