Author Topic: Is JS:Trojan.Script.AAR on this site detected?  (Read 5714 times)

0 Members and 1 Guest are viewing this topic.

Offline polonus

  • Avast Überevangelist
  • Maybe Bot
  • *****
  • Posts: 31545
  • malware fighter
« Last Edit: November 30, 2012, 10:03:21 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Maybe Bot
  • *****
  • Posts: 31545
  • malware fighter
Re: Is JS:Trojan.Script.AAR on this site detected?
« Reply #1 on: November 30, 2012, 10:12:31 PM »
The threat is in this list of what is being blocked by ExploitShield 0.7:
http://www.zerovulnerabilitylabs.com/webconsole/lv.php
Re: on this request from that URL: htxp://dimarikanko.ru:8080/forum/links/column.php
Read: http://blog.dynamoo.com/2012/11/wire-transfer-spam-dimarikankoru.html (post link author = Conrad Longmore)
Now redirected to: htxp://podarunoki.ru:8080/forum/links/column.php    Site blacklisted at ws.surbl.org (sa-blacklist web sites),
consider for this: http://wepawet.iseclab.org/view.php?hash=c84606715f3df702cd706d51fd82d780&t=1354312824&type=js

polonus
« Last Edit: November 30, 2012, 11:01:28 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline !Donovan

  • Web Analyst
  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 2220
    • The WAR Against Malware
Re: Is JS:Trojan.Script.AAR on this site detected?
« Reply #2 on: November 30, 2012, 11:23:56 PM »
Hi Polonus,

I get:
HTTP/1.1 200 OK
Date: Fri, 30 Nov 2012 22:09:16 GMT
Server: Apache/2.2.3 (Red Hat)
Last-Modified: Fri, 30 Nov 2012 21:56:41 GMT
ETag: "3c80d6-1a6-797f5840"
Accept-Ranges: bytes
Content-Length: 422
Vary: Accept-Encoding
Connection: close
Content-Type: text/html

See the image attached. It's a pretty simple JavaScript redirect, no obfuscation or any of those sorts. There is also no use of HTML's meta refresh tag, so disabling JavaScript for that website will prevent the redirect. Since the redirected file is .php, you have the ability to check the referrer and return different content based upon that knowledge. For example, accessing the site directly redirects you to Google whilst the defined 'exploit sites' will be validated and the exploit code will be executed.

~!Donovan
Familiarize Yourself! | Educate Yourself! | Beautify Yourself! | Scan Yourself!
"People who say it cannot be done should not interrupt those who are doing it."

Offline polonus

  • Avast Überevangelist
  • Maybe Bot
  • *****
  • Posts: 31545
  • malware fighter
Re: Is JS:Trojan.Script.AAR on this site detected?
« Reply #3 on: November 30, 2012, 11:29:40 PM »
Hi !Donovan,

Thanks for the analysis of the workings of this malcode redirect, dangerous through the sheer simplicity of it...

pol

Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Maybe Bot
  • *****
  • Posts: 31545
  • malware fighter
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline Dim@rik

  • Advanced Poster
  • **
  • Posts: 670

Offline polonus

  • Avast Überevangelist
  • Maybe Bot
  • *****
  • Posts: 31545
  • malware fighter
Re: Is JS:Trojan.Script.AAR on this site detected?
« Reply #6 on: December 01, 2012, 05:00:52 PM »
Hi Dim@rik,

You are right considering these scan results: http://vscan.urlvoid.com/analysis/0bb5e8bb9d37d66cd88bffb7123bd8f6/aW5mb3JtLWh0bQ==/
Missed here: http://quttera.com/detailed_report/cooltech.sh.cn
DrWeb's doing a far better job here: http://zulu.zscaler.com/submission/show/6ff1084e23dfb6e6cd6a8111ef8fabb1-1354376569
Found us here: http://page2rss.com/0c669301342daa7531783b3e1be8979b/6271619_6271863/issues
9.55 min.    htxp://cooltech.sh.cn/inform.htm
Checking:http://cooltech.sh.cn/inform.htm
DrWeb's URL checker:
Engine version:7.0.4.9250
Total virus-finding records:3425145
File size:422 bytes
File MD5:0bb5e8bb9d37d66cd88bffb7123bd8f6

htxp://cooltech.sh.cn/inform.htm - archive JS-HTML
>htxp://cooltech.sh.cn/inform.htm/JSTAG_1[11b][6e] infected with JS.Redirector.155
Given as suspicious here: http://zulu.zscaler.com/submission/show/6ff1084e23dfb6e6cd6a8111ef8fabb1-1354376569
Going there the redirect is being blocked by NoScript "Please wait a moment ... You will be forwarded...
Internet Explorer / Mozilla Firefox compatible only
In second instance then the avast Networkshield will alert to:
htxp://podarunoki.ru:8080/forum/links/column.php
And when we should go there the avast Networkshield will block this url as URL mal
See: http://urlquery.net/queued.php?id=4049412
IDS alert for ET CURRENT_EVENTS Blackhole 2 Landing Page (5)

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Maybe Bot
  • *****
  • Posts: 31545
  • malware fighter
Re: Is JS:Trojan.Script.AAR on this site detected?
« Reply #7 on: December 01, 2012, 05:12:12 PM »
The malicious payload is at [donotclick]podarunoki.ru:8080/forum/links/column.php hosted on some familiar IP addresses which should be blocked if you can (spamvertising bot net activity)

202.180.221.186 (GNet, Mongolia)
203.80.16.81 (MYREN, Malaysia)
see: http://www.mywot.com/en/scorecard/203.80.16.81/comment-48798241

The following domains are also on the same servers:
gurmanikia dot ru
ganiopatia dot ru
ganalionomka dot ru
genevaonline dot ru
podarunoki dot ru
binaminatori dot ru
ganadeion dot ru
dimarikanko dot ru
delemiator dot ru
as reported by Conrad Longmore on Dynamoo's Blog
variation on fake Nacha spam and other similar spam runs...
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Maybe Bot
  • *****
  • Posts: 31545
  • malware fighter
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline Pondus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 35857
Chief Wiggum: Uh, no, you got the wrong number. This is 9-1…2.


Offline polonus

  • Avast Überevangelist
  • Maybe Bot
  • *****
  • Posts: 31545
  • malware fighter
Re: Is JS:Trojan.Script.AAR on this site detected?
« Reply #10 on: December 01, 2012, 10:30:27 PM »
Another one as to show that this is a real campaign:
Checking:htxp://sleep360.cn/inform.htm
Engine version:7.0.4.9250
Total virus-finding records:3425215
File size:422 bytes
File MD5:0bb5e8bb9d37d66cd88bffb7123bd8f6

htxp://sleep360.cn/inform.htm - archive JS-HTML
>htxp://sleep360.cn/inform.htm/JSTAG_1[11b][6e] infected with JS.Redirector.155

Noscript stops like:
Please wait a moment ... You will be forwarded...
Internet Explorer / Mozilla Firefox compatible only

htzp://podarunoki.ru:8080/forum/links/column.php
With only wepawet flagging this, see:
https://www.virustotal.com/url/78e8957d03b369b76ca32897d5bf5f23187ad606a4f8abc8cfc3ee22d3b21ad1/analysis/1354397371/

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Maybe Bot
  • *****
  • Posts: 31545
  • malware fighter
Re: Is JS:Trojan.Script.AAR on this site detected?
« Reply #11 on: December 01, 2012, 11:01:59 PM »
Recent detection rates stand at 10 out of 45 and 8 out of 33

http://www.virustotal.com/latest-report.html?resource=0bb5e8bb9d37d66cd88bffb7123bd8f6
https://www.virustotal.com/file/a7cfba9dbfd214604c071102b867a605ee0e633930007f8af8199db2a7169570/analysis/
https://www.virustotal.com/file/06cf22f2e474d1a140808d8f14931c0914b5307fb0162d04f86845e95f54c085/analysis/
Malware campaign started 2012-12-01 02:31:02     
Google Safebrowsing blocks this malware from:
htxp://recyclingthewind.com/inform.htm
htxp://www.prostyle.com.tw/inform.htm
and
htxp://www.camelieantiche.com/inform.htm

polonus

Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!