Avast WEBforum

Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: tfjoint on April 18, 2012, 08:09:12 PM

Title: URL protection not working ?
Post by: tfjoint on April 18, 2012, 08:09:12 PM
Hi,

I use Avast 7 Free updated with the most recent virus definitions.

Today i've surfed to a infected site and although Avast notified me the url was infected and in theory, blocked it, my machine was infected. As a TI guy, i could clean it up deleting some files. Then i surfed again to the same website and again, Avast told me the url was infected, blocked the access, but even this way, i was infected again.

It's some kind of Windows 7 virus that updates MSConfig to start when you reboot.

So i cleaned up my system again.

I'd like to know why this happenned ; if Avast blocked the URL, why my machine was infected ?

The site in question is this below (i've separated with spaces to avoid clicking) ; be careful, it's infected.

http : // www . phabrica . com . br

What should i need to really have a protection ?

Thanks !
Title: Re: URL protection not working ?
Post by: Asyn on April 18, 2012, 08:16:39 PM
What should i need to really have a protection ?

Use a script blocker in your browser. (E.g.: FF with NoScript)
http://sitecheck.sucuri.net/results/www.phabrica.com.br
http://zulu.zscaler.com/submission/show/baca0aae3e119f8b51497e6fc074c7ce-1334772700 -> See domain history..!!! ::)
Title: Re: URL protection not working ?
Post by: tfjoint on April 18, 2012, 08:17:58 PM
This means i can't trust in Avast's Web Shield ?
Title: Re: URL protection not working ?
Post by: Asyn on April 18, 2012, 08:22:55 PM
This means i can't trust in Avast's Web Shield ?

Sure you can trust the WS, a script blocker wouldn't hurt as another layer of protection though. ;)
Title: Re: URL protection not working ?
Post by: Pondus on April 18, 2012, 08:25:39 PM
VirusTotal
https://www.virustotal.com/file/c0fad58cefa61c45fa67338af82f124d6128193ecee03dbcb3796924f0705209/analysis/1334773276/


Title: Re: URL protection not working ?
Post by: tfjoint on April 18, 2012, 08:26:23 PM
This means i can't trust in Avast's Web Shield ?

Sure you can trust the WS, a script blocker wouldn't hurt as another layer of protection though. ;)

If i can trust th WS, why i was infected twice even with the shield active ? :)

Title: Re: URL protection not working ?
Post by: Pondus on April 18, 2012, 08:32:15 PM
what detected the infection?
what was the malware name?
where was it found?
Title: Re: URL protection not working ?
Post by: tfjoint on April 18, 2012, 08:35:22 PM
Here is the shield log :

URL : http: // www . phabrica . com . br/wp-content/themes/Phabrica/js/superfish.js|>{gzip}
Severity : High
Status : Threat:JS:Redirector-Om[Trj]
Action : Blocked

I'm surfing again to the site with a virtual machine with Windows XP. If i navigate to the site in my
original machine (Windows 7 Pro) , i will be infected again ; i've tested twice and twice i was infected.
Title: Re: URL protection not working ?
Post by: Asyn on April 18, 2012, 08:36:09 PM
If i can trust th WS, why i was infected twice even with the shield active ? :)

What are your settings in WS..??
If it blocks the connection, there should be no infection.
Title: Re: URL protection not working ?
Post by: Pondus on April 18, 2012, 08:38:15 PM
so are you saying first avast web shield detect and block........then avast detect another file when scanning ?



OBS, and break the link above so it is not clickable
Title: Re: URL protection not working ?
Post by: tfjoint on April 18, 2012, 08:41:46 PM
so are you saying first avast web shield detect and block........then avast detect another file when scanning ?

Avast blocks, but somehow , i get infected anyway. Maybe Avast is blocking one link but letting another pass, i'm not sure about what happens.

What i'm sure is i've tried twice to navigate to this site, and twice i got infected. I can tell because the virus put some .exe files in my c:\programdata and edit MSConfig to run itself when i restart. It even block Taskman and deleted all my shortcuts.  It seems to be a Win7 specific infection.

As i TI guy, i could restore everything, and tried again to navigate to this site, and again, i was infected.

I would try again, but everytime it infects my computer, i loose a lot of time cleaning up things.

Title: Re: URL protection not working ?
Post by: tfjoint on April 18, 2012, 08:42:19 PM
If i can trust th WS, why i was infected twice even with the shield active ? :)

What are your settings in WS..??
If it blocks the connection, there should be no infection.

I have default actions, have not edited anything.
Title: Re: URL protection not working ?
Post by: Pondus on April 18, 2012, 08:46:39 PM
Quote
I can tell because the virus put some .exe files in my c:\programdata
can you upload this .exe file(s) to  www.virustotal.com   and post the scan link here when you have the result  (if scanned before click rescan)
Title: Re: URL protection not working ?
Post by: tfjoint on April 18, 2012, 08:49:10 PM
Quote
I can tell because the virus put some .exe files in my c:\programdata
can you upload this .exe file(s) to  www.virustotal.com   and post the scan link here when you have the result  (if scanned before click rescan)

I can't because i've deleted the file; to get it again, i'd have to get infected again...

Title: Re: URL protection not working ?
Post by: Asyn on April 18, 2012, 08:49:17 PM
I have default actions, have not edited anything.

- Which avast!..?? (Free/Pro/IS)
- Which version..??
- OS..?? (32/64 Bit..? - which SP..?)
Title: Re: URL protection not working ?
Post by: tfjoint on April 18, 2012, 08:52:15 PM
I have default actions, have not edited anything.

- Which avast!..?? (Free/Pro/IS)
- Which version..??
- OS..?? (32/64 Bit..? - which SP..?)

Avast 7.0.1426 Free
Windows 7 Pro 64bit
Title: Re: URL protection not working ?
Post by: Asyn on April 18, 2012, 08:55:44 PM
I have default actions, have not edited anything.

- Which avast!..?? (Free/Pro/IS)
- Which version..??
- OS..?? (32/64 Bit..? - which SP..?)

Avast 7.0.1426 Free
Windows 7 Pro 64bit

OK, thanks. I'll try to get someone from the viruslab to take a look at this thread.

Edit: Outdated Java.
Title: Re: URL protection not working ?
Post by: Pondus on April 18, 2012, 08:57:00 PM
well, this is what wepawet say
http://wepawet.iseclab.org/view.php?hash=9e8b06dbe3a981b01e494e2950aa2d60&t=1334773515&type=js


Text Form of Oracle Java SE Critical Patch Update - February 2012 Risk Matrices
http://www.oracle.com/technetwork/topics/security/javacpufeb2012verbose-366319.html

Quote
CVE-2012-0507

   Vulnerability in the Java Runtime Environment component of Oracle Java SE (subcomponent: Concurrency). Supported versions that are affected are 7 Update 2 and before, 6 Update 30 and before and 5.0 Update 33 and before. Easily exploitable vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized update, insert or delete access to some Java Runtime Environment accessible data as well as read access to a subset of Java Runtime Environment accessible data and ability to cause a partial denial of service (partial DOS) of Java Runtime Environment.

Note: Applies to client deployments of Java. This vulnerability can be exploited only through Untrusted Java Web Start applications and Untrusted Java applets. (Untrusted Java Web Start applications and untrusted applets run in the Java sandbox with limited privileges.).

CVSS Base Score 7.5 (Confidentiality, Integrity and Availability impacts). CVSS V2 Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P). (legend) [Advisory]

ESET Threat Blog - Blackhole, CVE-2012-0507 and Carberp
http://blog.eset.com/2012/03/30/blackhole-cve-2012-0507-and-carberp



so is your java updated ?



Title: Re: URL protection not working ?
Post by: tfjoint on April 18, 2012, 09:07:20 PM
Does the PRO version has a better web shield or if i've infected with free, i would be with Pro as well ?
Title: Re: URL protection not working ?
Post by: Asyn on April 18, 2012, 09:09:30 PM
Does the PRO version has a better web shield or if i've infected with free, i would be with Pro as well ?

WS is the same in all products.
Title: Re: URL protection not working ?
Post by: tfjoint on April 18, 2012, 09:15:05 PM
well, this is what wepawet say
http://wepawet.iseclab.org/view.php?hash=9e8b06dbe3a981b01e494e2950aa2d60&t=1334773515&type=js


Text Form of Oracle Java SE Critical Patch Update - February 2012 Risk Matrices
http://www.oracle.com/technetwork/topics/security/javacpufeb2012verbose-366319.html

Quote
CVE-2012-0507

   Vulnerability in the Java Runtime Environment component of Oracle Java SE (subcomponent: Concurrency). Supported versions that are affected are 7 Update 2 and before, 6 Update 30 and before and 5.0 Update 33 and before. Easily exploitable vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized update, insert or delete access to some Java Runtime Environment accessible data as well as read access to a subset of Java Runtime Environment accessible data and ability to cause a partial denial of service (partial DOS) of Java Runtime Environment.

Note: Applies to client deployments of Java. This vulnerability can be exploited only through Untrusted Java Web Start applications and Untrusted Java applets. (Untrusted Java Web Start applications and untrusted applets run in the Java sandbox with limited privileges.).

CVSS Base Score 7.5 (Confidentiality, Integrity and Availability impacts). CVSS V2 Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P). (legend) [Advisory]

ESET Threat Blog - Blackhole, CVE-2012-0507 and Carberp
http://blog.eset.com/2012/03/30/blackhole-cve-2012-0507-and-carberp



so is your java updated ?

No, my Java was not really updated. I've just updated, maybe this is the cause of the infection ?

Title: Re: URL protection not working ?
Post by: Pondus on April 18, 2012, 09:22:18 PM
well it is a java exploit...so when you patch/update the exploit wont work, even if not detected.....so updating give you extra protection   ;)
there is lots of smart people out there that turn off windows update  ::)

check with secunia online scan to see if you have more that need update    http://secunia.com/products/consumer/osi/online/
Title: Re: URL protection not working ?
Post by: Asyn on April 18, 2012, 09:24:58 PM
No, my Java was not really updated.

 :o ::)
Title: Re: URL protection not working ?
Post by: tfjoint on April 18, 2012, 09:28:43 PM
well it is a java exploit...so when you patch/update the exploit wont work, even if not detected.....so updating give you extra protection   ;)
there is lots of smart people out there that turn off windows update  ::)

check with secunia online scan to see if you have more that need update    http://secunia.com/products/consumer/osi/online/

To make sure the problem was the outdated java, i would have to navigate to the site again... but i'm tired to clean up the virus, won't do it by now ...
Title: Re: URL protection not working ?
Post by: tfjoint on April 18, 2012, 09:54:12 PM
well it is a java exploit...so when you patch/update the exploit wont work, even if not detected.....so updating give you extra protection   ;)
there is lots of smart people out there that turn off windows update  ::)

check with secunia online scan to see if you have more that need update    http://secunia.com/products/consumer/osi/online/

To make sure the problem was the outdated java, i would have to navigate to the site again... but i'm tired to clean up the virus, won't do it by now ...

Ok, i could not help the curiosity, so i navigate to the site.

And BINGO, i'm not infected anymore, after update java. It seems this was the cause of the problem.

I will do more tests.

Thanks for the information !

I'm a software developer and for years i runned away from anti-virus because they always slow down the computer. Unhappy it seems nowadays is impossible to live without one , so last month i started to use Avast.

Title: Re: URL protection not working ?
Post by: Asyn on April 18, 2012, 09:59:19 PM
well it is a java exploit...so when you patch/update the exploit wont work, even if not detected.....so updating give you extra protection   ;)
there is lots of smart people out there that turn off windows update  ::)

check with secunia online scan to see if you have more that need update    http://secunia.com/products/consumer/osi/online/

To make sure the problem was the outdated java, i would have to navigate to the site again... but i'm tired to clean up the virus, won't do it by now ...

Ok, i could not help the curiosity, so i navigate to the site.

And BINGO, i'm not infected anymore, after update java. It seems this was the cause of the problem.

I will do more tests.

Thanks for the information !

I'm a software developer and for years i runned away from anti-virus because they always slow down the computer. Unhappy it seems nowadays is impossible to live without one , so last month i started to use Avast.

It's vital to keep your OS and other software udated...!!!!!!! ;)
Else no AV can protect you. :P
Title: Re: URL protection not working ?
Post by: tfjoint on April 18, 2012, 10:01:32 PM
well it is a java exploit...so when you patch/update the exploit wont work, even if not detected.....so updating give you extra protection   ;)
there is lots of smart people out there that turn off windows update  ::)

check with secunia online scan to see if you have more that need update    http://secunia.com/products/consumer/osi/online/

To make sure the problem was the outdated java, i would have to navigate to the site again... but i'm tired to clean up the virus, won't do it by now ...

Ok, i could not help the curiosity, so i navigate to the site.

And BINGO, i'm not infected anymore, after update java. It seems this was the cause of the problem.

I will do more tests.

Thanks for the information !

I'm a software developer and for years i runned away from anti-virus because they always slow down the computer. Unhappy it seems nowadays is impossible to live without one , so last month i started to use Avast.

It's vital to keep your OS and other software udated...!!!!!!! ;)
Else no AV can protect you. :P

Yep, i know, i do a Windows Update everyday. Somehow my Java Update was turned off, don't know why.
Title: Re: URL protection not working ?
Post by: polonus on April 18, 2012, 10:47:57 PM
Here avast Web Shield is flagging JS:Redirector-OM[Trj]

wXw.phabrica.com.br/wp-content/themes/Phabrica/epanel/shortcodes/js/frontend.js?ver=1.6 benign
[nothing detected] (script) wXw.phabrica.com.br/wp-content/themes/Phabrica/epanel/shortcodes/js/frontend.js?ver=1.6
     status: (referer=wXw.phabrica.com.br/wp-content/themes/Phabrica/js/superfish.js|)saved 9793 bytes 02a654b972e328d7d71dacd9dfc85505ee154e6c
     info: [decodingLevel=0] found JavaScript
     suspicious but I see a HTTP/1.1 404 Not Found
Content-Type: text/html; charset=UTF-8  according to http://urlquery.net/report.php?id=44009
But here we see it all: http://sitecheck.sucuri.net/results/http://www.phabrica.com.br
malware found on javascript : http://sucuri.net/malware/malware-entry-mwjs69693  various instances
and hidden iframes various instances: http://sucuri.net/malware/entry/MW:IFRAME:HD202
and javascript included from a blacklisted domain: http://sucuri.net/malware/entry/MW:BLK:2

So malware galore and site probably hacked via PHP plug-in/theme,

polonus
Title: Re: URL protection not working ?
Post by: tfjoint on April 18, 2012, 11:35:28 PM
Here avast Web Shield is flagging JS:Redirector-OM[Trj]

wXw.phabrica.com.br/wp-content/themes/Phabrica/epanel/shortcodes/js/frontend.js?ver=1.6 benign
[nothing detected] (script) wXw.phabrica.com.br/wp-content/themes/Phabrica/epanel/shortcodes/js/frontend.js?ver=1.6
     status: (referer=wXw.phabrica.com.br/wp-content/themes/Phabrica/js/superfish.js|)saved 9793 bytes 02a654b972e328d7d71dacd9dfc85505ee154e6c
     info: [decodingLevel=0] found JavaScript
     suspicious but I see a HTTP/1.1 404 Not Found
Content-Type: text/html; charset=UTF-8  according to http://urlquery.net/report.php?id=44009
But here we see it all: http://sitecheck.sucuri.net/results/http://www.phabrica.com.br
malware found on javascript : http://sucuri.net/malware/malware-entry-mwjs69693  various instances
and hidden iframes various instances: http://sucuri.net/malware/entry/MW:IFRAME:HD202
and javascript included from a blacklisted domain: http://sucuri.net/malware/entry/MW:BLK:2

So malware galore and site probably hacked via PHP plug-in/theme,

polonus

Thank you for the info ; after update java i'm no more being infected by this site.