Thousands of websites infected with .htaccess redirect attack

Posted by   Virus Bulletin on   Jul 5, 2012

Various anti-detection methods applied.

Thousands of legitimate websites have seen .htaccess files compromised and as a consequence have been used to serve the 'Milisenco' trojan, researchers at Symantec report.

.htaccess is a configuration file used by a number of webservers, including the popular Apache server. It allows for decentralised management of the server and requires neither root access nor a server restart for changes to have an effect. For this reason it is popular on shared hosts where it can be used for internal and external redirects.

If those with malicious intent are able to access it, the .htaccess file can be used to send visitors to a malicious site. Because this happens without any of the website's actual content being changed, the site owner is unlikely to notice any changes.

To make the malicious changes even more stealthy and to make sure only those users who could potentially be infected are redirected, some further tricks are used. By applying a conditional redirect, only those visiting the site for the first time, who entered the site through a link or via a search engine, who used the Windows platform and who used a popular browser are redirected to the malicious site. The .htaccess file also contains hundreds of blank lines before and after the redirection code.

The Milisenco trojan that is served by the malicious site made the news last month when it appeared to cause printers attached to infected machines to print many pages of garbage. This is a side effect of the malware, which masquerades as a printer spool file, possibly to avoid detection.

Yet another malicious redirect from legitimate websites shows how many websites - even those that appear harmless - can be dangerous to visit. The various tricks applied to make the attack more stealthy show the challenges for both website owners and researchers in fighting such threats.

More at Symantec's website here.

Posted on 6 July 2012 by Virus Bulletin



Latest posts:

In memoriam: Prof. Ross Anderson

We were very sorry to learn of the passing of Professor Ross Anderson a few days ago.

In memoriam: Dr Alan Solomon

We were very sorry to learn of the passing of industry pioneer Dr Alan Solomon earlier this week.

New paper: Nexus Android banking botnet – compromising C&C panels and dissecting mobile AppInjects

In a new paper, researchers Aditya K Sood and Rohit Bansal provide details of a security vulnerability in the Nexus Android botnet C&C panel that was exploited in order to gather threat intelligence, and present a model of mobile AppInjects.

New paper: Collector-stealer: a Russian origin credential and information extractor

In a new paper, F5 researchers Aditya K Sood and Rohit Chaturvedi present a 360 analysis of Collector-stealer, a Russian-origin credential and information extractor.

VB2021 localhost videos available on YouTube

VB has made all VB2021 localhost presentations available on the VB YouTube channel, so you can now watch - and share - any part of the conference freely and without registration.

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.