Website hack leads to registry cleaner affiliate page

Malicious code on a website can hide in multiple locations. In this case, we are going to take a look at one called conditional redirect.

A conditional redirect is a type of website hijack that involves diverting traffic to your website based on one or more conditions. A typical example is to redirect people who click on a link from the Google search results.

The sneaky thing about this is that most of the time, the site owner will not notice this because she directly goes to her site by typing its address.

Here is a conditional redirect that uses obfuscated javascript:

Let’s take a moment to look at the code, and in particular at this snippet: ”l://9″+”1.”+”n”+ “3″+”.”+”8″+”9.1″+”s /”

It may not seem obvious at first glance, but this is a link to an IP address (91.223.89.112) located in Vladivostok (Russia) as shown in this Fiddler HTTP traffic capture:

followed by a redirection to googosearch.biz (95.168.185.66) located in Hong-Kong. That domain is just a useless portal mainly used for affiliate type redirections:

Which in our case goes to an affiliate page for Uniblue’s RegistryBooster:

googosearch.biz has a few brothers and sisters:

googosearch.info
googosearch.net
googosearch.org

The last one being a login page for something probably not very legit:

If your website is currently being affected by this redirection problem, you must look in one of the files on your web server called .htaccess. (Make sure to check for all instances of that filename, as there can be multiple).

A typical redirection looks like this:

RewriteEngine On
RewriteCond %{HTTP_REFERER} .*gooogle.*

All you need to do is remove the offending lines.

To find out if your website has any security holes before it’s too late, please go to SparkTrust.com.

Jerome Segura