According to Avast, the infection is a trojan javascript redirector that takes visitors through a series of infected sites to the final location in Russia, which is most likely a distribution centre for fake anti-virus.
The East European-based security vendor says that the malware was first reported to its research operation through the CommunityIQ system of sensors. After receiving the initial report on August 5 at 20.53 CET, the research division confirmed the infection and flagged the site to Avast's IT security software users.
Alena Varkockova, an Avast virus lab expert, said that the script on the Superglue.com site creates a URL (hXXp://cameoprincess.com/index.php?go=lastnews&rf=) and then creates a script tag along with it that activates the code on that URL.
“The ‘cameoprincess’ page contains a javascript code, which redirects the visitor to ‘hXXp://papucky.eu/ext/’ which then redirects the visitor to ‘http://adeportes.es/images/info/js/js.php’ and then on to ‘hXXp://labource.ru/iframe.php?id=0xxnnc3e8793z0nevu1f4o36ncdvg34’”, she said.
“This last address seems to be the page that contained the payload – and it is turned off for now. By using a combination of redirectors, it’s statistically difficult to uncover the precise payload”, she added, noting that the likely candidate is some sort of fake anti-virus.
Whilst injected javascript downloaders or redirectors are fairly common, the specific AVF trojan at the Superglue website is not and is not in the top 50 malware rankings, although has already been reported in more than 500 sites, she explained.
Avast says it has advised Super Glue Corp. of the problem – by email and phone – about the malware. However, the firm notes, as is usual with most companies, contact details on their site are designed for customers and not for reporting security issues.