How do I reproduce the problem myself using a virtual machine?

The Yandex antivirus detects infections that are difficult to reproduce manually. In such cases, you can see the malicious code in the browser by testing a “vulnerable” system set up on a virtual machine.

  1. The system should be set up as follows:

    • Windows XP operating system.

    • Browsers (IE, Firefox, Chrome, Opera) with history and cookies disabled.

    • Local proxy for viewing all HTTP connections.

    It is advisable to install older versions of browsers, Java Runtime Environment, Acrobat Reader and Adobe Flash plug-ins.

  2. After you set up the system, take a snapshot of the virtual machine. Now you can start testing:

    • Open the site with different browsers.

    • Visit the site from the search results and from the address bar.

    • Connect to the site through the anonymizing proxy and directly.

    • Try changing the User-Agent header from desktop to mobile.

    After each viewing of the page, examine the page code and return to the snapshot.

  3. You can spot malicious code on the site by:

    • Extraneous <iframe>, <script>, <object>, <embed>, or <applet> elements in the page markup.

    • Loading the data from hosts in the .cc, .in, .cn, .pl domains or redirecting to such hosts. Also, suspicious requests to the dynamic DNS services or directly to IP addresses.

    • Disguising domain names as popular sites, for example google-analylics.com or yandes.ru.

    • Obfuscated scripts.

    • Scripts containing the eval, unescape, document.write, document.URL, window.location, window.navigate calls.

    • Redefining the DOM elements.

    • Added code in the JS libraries.

    • Added operations with strings (redefining, replacing substrings, shifting characters, concatenation).