Reported this and the malcode pattern to virus AT avast dot com. The file viewer analysis was clear enough to detect the “If var1 Equals var2 Then Redirect!” pattern. Another one here: htxp://cs.gamegarant.by/upload.htm
Thanks for the extended analysis on WAR: http://websiteanalystsresource.wordpress.com/2013/01/16/if-var1-equals-var2-then-redirect/ (link article author !Donovan),
There more variants on the same theme, see comparison operators in PHP: http://www.developphp.com/view_lesson.php?v=207 (link author = Author: Adam Khoury ) and the malcode could also be combined with particular escape characters and through malicious spacing code…
Good you alerted us to that. Seems the JS/Redir variants have been with us since 2009. Those I reported in this thread appeared on VirusWatch Archives and then I just fed the uri’s to redleg’s fileviewer as I later reported to virus AT avast dot com. In a NoScript protected browser JS/Redir stands out because permission is asked to go to the conditional redirect site, which of course we should not allow. The redirect is spam click related malcode…