Avast WEBforum

Other => Viruses and worms => Topic started by: MarkJohnson on May 28, 2016, 02:42:48 AM

Title: Vicious website.
Post by: MarkJohnson on May 28, 2016, 02:42:48 AM

Yesterday, I was going to jonnyguru to check some power supply reviews and accidentally typed johnnyguru.com and was greeted with malware ads. 

I quickly exited Chrome and then tried the Avast Safezone browser with the same results.

All seemed fine, but today Chrome won't open at all.  I then tun Avast with no reports of anything bad.  I decided to download Malwarebytes Anti-Malware and it found over 300 PUPs.  I then wondered about Avast not finding them and quickly found it wasn't enabled in setting.  After enabling and reboot and rescan it found no issues.

So, I'm reporting johnnyguru.com is a bad site and seems to install malware automatically..  I'm not sure what you guys can do about it.  But I thought I'd bring up my experience.

Title: Re: Vicious website.
Post by: Eddy on May 28, 2016, 08:26:49 AM

I've reported the site to avast.
Someone from them will soon have a look at it.

I suggest you follow these instructions to have a good system check :
https://forum.avast.com/index.php?topic=53253.0

Title: Re: Vicious website.
Post by: HonzaZ on May 28, 2016, 12:17:08 PM

I couldn't find anything malicious...
If the ads are installing anything without user's content, I will be happy to block them :)
Do you have scanning for PUPs enabled in Avast?

Title: Re: Vicious website.
Post by: polonus on May 28, 2016, 02:20:05 PM

We see conditional redirect: GoogleBot returned code 302 to -http://ww38.johnnyguru.com/
Google Chrome returned code 302 to -http://ww38.johnnyguru.com/

Consider: https://aw-snap.info/file-viewer/?tgt=http%3A%2F%2Fww38.johnnyguru.com%2F&ref_sel=GSP2&ua_sel=ff&fs=1

The iFrame in the code has been blocked as hxxp://quickdomainfwd.com/?dn=johnnyguru.com&pid=9PO755G95
an ad- and tracking service that we like to block with any adblocker: hxtp://quickdomainfwd.com

Detected jQuery code: -http://ww38.johnnyguru.com
Detected libraries:
jquery - 2.1.4 : -http://d32ffatx74qnju.cloudfront.net/scripts/jquery-2.1.4.min.js
Info: Severity: medium
https://github.com/jquery/jquery/issues/2432
http://blog.jquery.com/2016/01/08/jquery-2-2-and-1-12-released/
1 vulnerable library detected -> http://www.domxssscanner.com/scan?url=http%3A%2F%2Fd32ffatx74qnju.cloudfront.net%2Fscripts%2Fjquery-2.1.4.min.js

And what do we detect there:

Code: [Select]

script
     info: [decodingLevel=0] found JavaScript
     error: line:3: SyntaxError: missing ) in parenthetical: *
          error: line:3: t?(n=g,o=g.documentElement,e=g.defaultView,e&&e!==e.top&&(e.addEventListener?e.addEventListener("unload",ea,!1):e.attachEvent&&e.attachEvent("onunload",ea)),p=!f(g),c.attributes=ja(function(a){return a.className="i",!a.getAttribute("className")}),c.ge
          error: line:3: ...........................................................^
* Output of the server is invalid, caused by a typo in string concatenation, often this is a missing + (info credits StackOverflow's przemo_li).
May reveal innerHTML ....localhost:/js, or the odd one out: localhost/js will kick up errors.

This is adding to the insecurity: https://sritest.io/#report/93efec09-14ed-4638-bc7d-5bddbc9f3ed3 : <script src="http://d32ffatx74qnju.cloudfront.net/scripts/jquery-2.1.4.min.js"></script>    Missing SRI hash

polonus (volunteer website security analyst and website error-hunter)