[Full-disclosure] "Index Of" redirection malware attack?

[Malformation Guy <malformation@xxxxxxxxxxx>]

Hello fellow FD,

I recently came across an interesting website redirecting and delivering 
malware and I'd like to ask a few questions

An "Index of" that checks your referrer to see if you've found the site through 
a Google search. The index.php script is made to look just like a real 'Index 
of', except...it is a PHP script. If you are, it redirects you to 
http://us-euro.biz/in.cgi?4&parameter=htac and that site serves you pop-ups and 
other spyware. Use refspoof and TamperData and check 
http://vtes.vega.id.au/%3Fp=67/wp-login.php/wp-includes/?p=67/wp-login.php/wp-includes

They're looking for any Google referrer like this: 
http://www.google.com/search?hl=en&client=firefox-a&rls=org.mozilla%3Aen-US%3Aofficial&q=something&btnG=Search&meta=

Not only that, but http://site.com/? would use index.php and http://site.com 
would give index.html
Am I correct?

They're really crafty I reckon, and it's the first time I've seen where they've 
used a fake index of AND checked your referrer.
Can someone confirm my thoughts and theories here?

-Malformation

_________________________________________________________________
Time for change? Find your ideal job with SEEK.
http://a.ninemsn.com.au/b.aspx?URL=http%3A%2F%2Fninemsn%2Eseek%2Ecom%2Eau%2F%3Ftracking%3Dsk%3Atl%3Ask%3Anine%3A0%3Ahottag%3Achange&_t=757263783&_r=SEEK_tagline&_m=EXT

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/