Re: "Index Of" redirection malware attack?

[Malformation Guy <malformation () hotmail com>]

Oops, sorry for the horrible English.

I just re-read it.

-Malformation

From: malformation () hotmail com
To: full-disclosure () lists grok org uk
Date: Tue, 16 Dec 2008 16:41:23 +1030
Subject: [Full-disclosure] "Index Of" redirection malware attack?








Hello fellow FD,

I recently came across an interesting website redirecting and delivering malware and I'd like to ask a few questions

An "Index of" that checks your referrer to see if you've found the site through a Google search. The index.php script 
is made to look just like a real 'Index of', except...it is a PHP script. If you are, it redirects you to 
http://us-euro.biz/in.cgi?4&parameter=htac and that site serves you pop-ups and other spyware. Use refspoof and 
TamperData and check http://vtes.vega.id.au/%3Fp=67/wp-login.php/wp-includes/?p=67/wp-login.php/wp-includes

They're looking for any Google referrer like this: 
http://www.google.com/search?hl=en&client=firefox-a&rls=org.mozilla%3Aen-US%3Aofficial&q=something&btnG=Search&meta=

Not only that, but http://site.com/? would use index.php and http://site.com would give index.html
Am I correct?

They're really crafty I reckon, and it's the first time I've seen where they've used a fake index of AND checked your 
referrer.
Can someone confirm my thoughts and theories here?

-Malformation

Find your ideal job with SEEK Time for change?
_________________________________________________________________
It's simple! Sell your car for just $40 at CarPoint.com.au
http://a.ninemsn.com.au/b.aspx?URL=http%3A%2F%2Fsecure%2Dau%2Eimrworldwide%2Ecom%2Fcgi%2Dbin%2Fa%2Fci%5F450304%2Fet%5F2%2Fcg%5F801459%2Fpi%5F1004813%2Fai%5F859641&_t=762955845&_r=tig_OCT07&_m=EXT

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/