Published: 2012-06-21 by Daniel B. Cid
Yesterday we listed www.google.com as being used for .htaccess conditional redirections
on hacked sites. Google does no evil, so what happened?
We identified the source of the malware, which looks for certain user agents and IP addresses
and redirects to www.google.com if it comes from them or to the real malware if not.
This is the code:
So, if you are not familiar with PHP, what this code is doing is checking for the user agent of some bots (Googlebot, MSN, Bing, etc) and for a few IP addresses for bots and anti virus companies (Trend, Bitdefender, etc). If the requests are
coming from them, they ignore the connection and redirect to www.google.com.
That's why we were seeing www.google.com and listed it on our malware dump (already fixed).
For all the other users (the victims), the malware was contacting http://18.104.22.168/api.php?action=link to get the URL to redirect (generally in the .tk domain). Any questions, let us know.