Thousands of websites infected with .htaccess redirect attack

Posted by   Virus Bulletin on   Jul 5, 2012

Various anti-detection methods applied.

Thousands of legitimate websites have seen .htaccess files compromised and as a consequence have been used to serve the 'Milisenco' trojan, researchers at Symantec report.

.htaccess is a configuration file used by a number of webservers, including the popular Apache server. It allows for decentralised management of the server and requires neither root access nor a server restart for changes to have an effect. For this reason it is popular on shared hosts where it can be used for internal and external redirects.

If those with malicious intent are able to access it, the .htaccess file can be used to send visitors to a malicious site. Because this happens without any of the website's actual content being changed, the site owner is unlikely to notice any changes.

To make the malicious changes even more stealthy and to make sure only those users who could potentially be infected are redirected, some further tricks are used. By applying a conditional redirect, only those visiting the site for the first time, who entered the site through a link or via a search engine, who used the Windows platform and who used a popular browser are redirected to the malicious site. The .htaccess file also contains hundreds of blank lines before and after the redirection code.

The Milisenco trojan that is served by the malicious site made the news last month when it appeared to cause printers attached to infected machines to print many pages of garbage. This is a side effect of the malware, which masquerades as a printer spool file, possibly to avoid detection.

Yet another malicious redirect from legitimate websites shows how many websites - even those that appear harmless - can be dangerous to visit. The various tricks applied to make the attack more stealthy show the challenges for both website owners and researchers in fighting such threats.

More at Symantec's website here.

Posted on 6 July 2012 by Virus Bulletin



Latest posts:

VB2019 paper: Operation Soft Cell - a worldwide campaign against telecommunication providers

Today we publish the VB2019 paper by Cybereason researchers Mor Levi, Amit Serper and Assaf Dahan on Operation Soft Cell, a targeted attack against telecom providers around the world.

VB2019 paper: A study of Machete cyber espionage operations in Latin America

At VB2019 in London a group of researchers from the Stratosphere Lab at the Czech Technical University in Prague presented a paper in which they analysed and dissected the cyber espionage activities of an APT group in Latin America through the…

VB2019 paper: The push from fiction for increased surveillance, and its impact on privacy

In a paper presented at VB2019 in London, researchers Miriam Cihodariu (Heimdal Security) and Andrei Bogdan Brad (Code4Romania) looked at how surveillance is represented in fiction and how these representations are shaping people's attitudes to…

VB2019 paper: Oops! It happened again!

At VB2019 in London industry veterans Righard Zwienenberg and Eddy Willems took a detailed look at the relationship between past and current cyber threats. Today, we publish both their paper and the recording of their presentation.

Job vacancy at VB: Security Evangelist

Virus Bulletin is recruiting for a person to be the public face of the company

We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.