The bad guys behind the Antivirus 2008/2009 malware have been recently using a pretty sneaky tactics for redirecting people to their fake web sites.
In this latest scheme of attacks, attackers are abusing the RewriteEngine feature in Apache web servers. This feature can be activated through the .htaccess access control file. This file is usually located in the top directory of a web server and in incidents that have been detected so far it appears that the file has been put with stolen FTP credentials.
As you can see, this is very sneaky – if you visit the compromised web site directly, everything will work as it's supposed to. However, if you search for something and the search engine shows you a link to the compromised web site, when you click on it you will be redirected to the bad site because your browser will send the referer header which will match one of the condition rules.
If you have a web site make sure that you are using strong credentials when you modify the contents and that you do that from a safe environment. If anyone from a web hosting company is reading this – check .htaccess files used on your web site (or better yet, disable them if you don't need them). Finally, make sure that you have proper security on the file level, so mass defacements like the one I described at http://isc.sans.org/diary.html?storyid=3078 can't happen.
Oct 9th 2008
1 decade ago