Website Malware – Curious .htaccess Conditional Redirect Case

I really enjoy when I see different types of conditional redirects on compromised sites. They are really hard to detect and always lead to interesting investigations. Take a look at this last one we identified:

The curious aspect about it is the use of a not-so-common .htaccess feature: variables. Most conditional injections rely only on the user agent (browser) or referrer of the visitor, but this one also leveraged the TIME_SEC and VWM variables:

RewriteRule .* - [E=cNL:%{TIME_SEC}]
RewriteRule .* - [E=VWM:oktovia.jonesatlarge.com]

It’s attributing the TIME_SEC (the “seconds” part of current time) to the cNL variable and the payload to VWM. It causes the malware to redirect the visitor to a different page, depending on the time of the day.

For example, if it is 9:00:01 (ending in the “01” second), it will redirect the visitor to a specific campaign ID (7522). If it is 9:00:02 (ending in the “02” second), it will redirect to a different campaign ID, and so on until it reaches all 60 seconds.

And when you mix that with all other conditions that this .htaccess malware has:

1. It checks if the referer came from Google, Facebook, Twitter and a few other popular sites.
2. It checks if the operating system is a Mac, Windows, iPhone, iPad, iPod or Android
3. It checks if the cookie cNL is not set (to prevent displaying the malware more than once to the same person.
4. It checks the time of the request to build a custom URL depending on the second.

It becomes very hard to detect and even harder to get all malicious URL’s identified.

Very sneaky…