Blackmuscats Conditional Redirections to Fake AntiVirus

We are seeing many sites today compromised with the Blackmuscats conditional redirection. This malware causes anyone visiting the hacked site to be redirected to a Fake AV (AntiVirus). Why Blackmuscats? All the compromised sites have .htaccess redirections pointing to files ending in “blackmuscats?5″.

So far we have detected more than 8,000 sites with this type of redirection and the number is growing (last night we had only found a few hundred).

Note: this is a conditional redirection, so you are only sent to the malware site if you are coming from a search engine, not if you visit the site directly.

Here are some of the domains being used as part of this malware campaign:

1297 redirections
1156 redirections
1077 redirections
1001 redirections
975 redirections
391 redirections
329 redirections
263 redirections
244 redirections
223 redirections
206 redirections
192 redirections
80 redirections
65 redirections
.. many more..

This is what the .htaccess looks like on the hacked sites:

RewriteCond %{HTTP_REFERER} ^.*(google|ask|yahoo|youtube|wikipedia|excite|..suchmaschine|web-archiv|infospace)\.(.*)
RewriteRule ^(.*)$ [R=301,L]

What happens next?

So what happens next? If someone visits a compromised sites by clicking on a search engine results page, they will be sent to one of those domains we listed above, and then to (and similar AV related domains): ( -> redirection to -> (

This is where you get those scary warnings like “Your computer is compromised”.

We will post more details as we keep monitoring it.

Read more: Blackmuscats Conditional Redirections to Fake AntiVirus

Story added 31. July 2012, content source with full text you can find at link above.