I really enjoy when I see different types of conditional redirects on compromised sites. They are really hard to detect and always lead to interesting investigations. Take a look at this last one we identified:
The curious aspect about it is the use of a not-so-common .htaccess feature: variables. Most conditional injections rely only on the user agent (browser) or referrer of the visitor, but this one also leveraged the TIME_SEC and VWM variables:
RewriteRule .* - [E=cNL:%{TIME_SEC}] RewriteRule .* - [E=VWM:oktovia.jonesatlarge.com]
It’s attributing the TIME_SEC (the “seconds” part of current time) to the cNL variable and the payload to VWM. It causes the malware to redirect the visitor to a different page, depending on the time of the day.
For example, if it is 9:00:01 (ending in the “01” second), it will redirect the visitor to a specific campaign ID (7522). If it is 9:00:02 (ending in the “02” second), it will redirect to a different campaign ID, and so on until it reaches all 60 seconds.
And when you mix that with all other conditions that this .htaccess malware has:
- It checks if the referer came from Google, Facebook, Twitter and a few other popular sites.
- It checks if the operating system is a Mac, Windows, iPhone, iPad, iPod or Android
- It checks if the cookie cNL is not set (to prevent displaying the malware more than once to the same person.
- It checks the time of the request to build a custom URL depending on the second.
It becomes very hard to detect and even harder to get all malicious URL’s identified.
Very sneaky…
2 comments
Wow that would be a hard one to trace as you would not naturally look in the .htaccess first.
.htaccess / modrewrite is a great tool, I sometimes use .htaccess rules AND CloudFlare Page Rules for even more powerful URL magic. I also have observed web site exploits using sneaky .htaccess rules as far back as 2007, when I was reverse engineering “msplinks bypasses” in the wild.
Comments are closed.