Posted by Virus Bulletin on Jul 5, 2012
Various anti-detection methods applied.
Thousands of legitimate websites have seen .htaccess files compromised and as a consequence have been used to serve the 'Milisenco' trojan, researchers at Symantec report.
.htaccess is a configuration file used by a number of webservers, including the popular Apache server. It allows for decentralised management of the server and requires neither root access nor a server restart for changes to have an effect. For this reason it is popular on shared hosts where it can be used for internal and external redirects.
If those with malicious intent are able to access it, the .htaccess file can be used to send visitors to a malicious site. Because this happens without any of the website's actual content being changed, the site owner is unlikely to notice any changes.
To make the malicious changes even more stealthy and to make sure only those users who could potentially be infected are redirected, some further tricks are used. By applying a conditional redirect, only those visiting the site for the first time, who entered the site through a link or via a search engine, who used the Windows platform and who used a popular browser are redirected to the malicious site. The .htaccess file also contains hundreds of blank lines before and after the redirection code.
The Milisenco trojan that is served by the malicious site made the news last month when it appeared to cause printers attached to infected machines to print many pages of garbage. This is a side effect of the malware, which masquerades as a printer spool file, possibly to avoid detection.
Yet another malicious redirect from legitimate websites shows how many websites - even those that appear harmless - can be dangerous to visit. The various tricks applied to make the attack more stealthy show the challenges for both website owners and researchers in fighting such threats.