How do I reproduce the problem myself using a virtual machine?
The Yandex antivirus detects infections that are difficult to reproduce manually. In such cases, you can see the malicious code in the browser by testing a “vulnerable” system set up on a virtual machine.
-
The system should be set up as follows:
-
Windows XP operating system.
-
Browsers (IE, Firefox, Chrome, Opera) with history and cookies disabled.
-
Local proxy for viewing all HTTP connections.
It is advisable to install older versions of browsers, Java Runtime Environment, Acrobat Reader and Adobe Flash plug-ins.
-
-
After you set up the system, take a snapshot of the virtual machine. Now you can start testing:
-
Open the site with different browsers.
-
Visit the site from the search results and from the address bar.
-
Connect to the site through the anonymizing proxy and directly.
-
Try changing the User-agent header from desktop to mobile.
After each viewing of the page, examine the page code and return to the snapshot.
-
-
You can spot malicious code on the website by:
-
Foreigns
<iframe>
,<script>
,<object>
,<embed>
,<applet>
elements in the page markup. -
Loading the data from hosts in the .cc, .in, .cn, .pl domains or redirecting to such hosts. Also, suspicious requests to the dynamic DNS services or directly to IP addresses.
-
Disguising domain names as popular sites, for example
google-analylics.com
oryandes.ru
. -
Obfuscated scripts.
-
Scripts containing the eval, unescape, document.write, document.URL, window.location, window.navigate calls.
-
Redefining the DOM elements.
-
Added code in the JS libraries.
-
Added operations with strings (redefining, replacing substrings, shifting characters, concatenation).
-