Malware Redirection with a Delay

You visit a site and it looks good and clean. However, if you keep the page open, after maybe 20-30 seconds, you get redirected to an affiliate page for cassino or pharma site. What is going on?

We call those delayed redirections and they are becoming a lot more common. Instead of injecting malware or doing any redirection via javascript, the attackers are adding the refresh option to the HTTP headers. Similar to the following:

HTTP/1.1 200 OK
Date: Tue, 29 Jan 2013 17:18:02 GMT
Server: Apache
Refresh: 25; url="httx://www.dodonet.biz"

Which tells the browser to redirect to a malicious domain after 25 seconds. Note that the domain and the refresh time varies per infection. These are some of the other domains we are seeing on this type of attack:

http://www.dodonet.biz

http://www.dodd.biz

http://bluehost-dz.com/bord

http://bluehost-dz.com/done

.

The infection

This infection seems to be mostly targeted against outdated Joomla sites (running < 1.5.25), but as they become more common the attackers may start to use it against any type of CMS. If suspect your site may be compromised with it, you can verify it on sitecheck, since it is able to identify this type of issue.

You can also search on your PHP code for a similar entry adding the refresh header (be aware that it might be encoded using base64 or hex):

$x0b="header"; $x0b("Refresh:"25;"url=\"httx://bluehost-dz.com/bord\"");

It also confuses many types of malware/security scanners because most of them will not wait 20+ seconds to see what happens and if the site get redirected. And that’s probably the reason why attackers are using it now.

If you have any question or comments, let us know.

Read more: Malware Redirection with a Delay

Story added 13. February 2013, content source with full text you can find at link above.