Compromised Domains Redirect to Pharmacy Site

Lately we have been seeing a number of links from spam emails with the format:

http://Domain/<random word><number>/<random word>/<random word><number>.php

For example here are three of the URLs we have seen:

hxxp://fracek.how.pl/someone10/page/memory71.php

hxxp://eforemeklilik.com/mind91/very/saying100.php

hxxp://uamoney.hut2.ru/believe60/mark/decided4.php

We have seen around 350 domains used in this campaign over the last four days, presumably many of these are legitimate domains that have been compromised. The number of these spam emails is very small compared to other large sources of spam. 

The spam we have seen delivering these links is similar to the one below

When we visit one of these URLs the following JavaScript is sent back to the browser.

This JavaScript has been obfuscated to hide its purpose. Fortunately this script has been obfuscated using a very simple method and it is easy to figure out what it does.

The script has two separate parts. The first part starting with 'document.write' decodes some encoded text and writes it to the current page. The second part calls some function called 'dF' and passes it some random looking text.

When the first part is run it writes the following code to the current page:

So there is the dF function that is called in the second part. This function takes that random looking text, decodes it and writes it to the page.

After the second part runs this is what is written to the page.

This causes the browser to be redirected to a pharmacy website. We have seen these spammed URLs redirecting the browser to a couple of different 'Canadian Healthcare' websites.

The whole reason for the obfuscation is to hide the 'location.replace("<pharmacy-URL>");' line. Why did the spammer bother given that the user most probably knew that they were clicking on such an obvious spam link or that most users don't read the page source? It was possibly done to prevent automated scanners from easily picking up the pharmacy URL and adding it to a blacklist.

Each of the domains appears to contain five php files in the directory that was in the spammed link.

On each domain all of the file names except for err404.php are different. In the screen shot above the three files cases3.php, class44.php and example42.php are what is contained in a spammed link, all send the browser the obfuscated JavaScript discussed above.

The file err404.php displays an HTTP 404 error message. The file since60php appears to have been mistakenly named without the dot before the ‘php’, letting us view the php code. This is actually the server side component of a very small proxy server. We are unsure what the attacker planned to do with these two files.