Pharmacy spreads the virus, rather than cure


It seems the summer holiday has cleared the way for spammers to spend more time focusing on what they do best…clogging our inboxes and trying to trick users and filters alike. Analysts in the Commtouch Lab recently found an interesting example that demonstrates the lengths to which spammers will go to trick us, and I must say…these guys really invested time and energy into hijacking a legitimate site and creatively redirecting users to their own sites.

What is a redirect? Quite simply, users may receive an email with a random link inside. If you were to mouse over the link, you may see a non-threatening URL that seems like it could be legitimate. If you click on it though, you find yourself on a page that is completely unrelated and when you check the URL, you see that it is totally different from what you thought you had clicked on. This usually means that a spammer has hijacked the legitimate site and added in some code to redirect you to the site they really want you to visit. Why would they hijack a legitimate site for this? In order to bypass spam filters.

In this case, we examined an email with a link that pointed to an educational Web site. Upon clicking, however, we found ourselves on a Web site built by…you guessed it…some guys with a Canadian pharmacy.

sample spam email

We dug a little deeper and found a most unique redirection method…typically there is a simple code pointing the browser to the new site. Advanced URL filtering, like Commtouch’s own GlobalView URL Filtering, would recognize this redirect and flag it as suspicious. But these guys had a lot of time on their hands and made their redirect incredibly difficult to find and figure out.

But we found it…and we figured it out.

It started with this code, hidden between pages hosted on a legitimate educator’s site:

Redirection script

After decoding the %XX characters we found this:

Decoded redirction script

It took some effort to decode the last line (starting with dF). But once we did, we found it’s a complex function that creates the redirection code and executes it.

The final decoded HTML looks like this:

Final decoded redirection script

All of that scripting and code produced a beautifully sneaky redirect to this site, which is infected with a nasty Trojan:

Canadian Pharmacy

Typically, these Canadian Pharmacy sites just send spam and sell Viagra…but this one included a virus to keep us all on our toes. I’m sort of impressed…this was quite a complicated scheme devised to sneak through spam filters, get into inboxes around the world and spread a nasty virus. Does anyone else see the irony in that?

Go back