Author Topic: "Scriptaculous" Threat Detected  (Read 4504 times)

0 Members and 1 Guest are viewing this topic.

Offline Ken37

  • Newbie
  • *
  • Posts: 4
"Scriptaculous" Threat Detected
« on: December 08, 2014, 08:30:10 PM »
Whenever I try to access www.caskers.com, a retail liquor site from which I have ordered many times, I now receive an AVAST threat detected message (att'd). Each time, it seems to reference a different java script name always with "scriptaculous."  I checked WHOIS and the IP address listed maps to www.gameservers.com!

I tried researching this issue and came up with no useful hits. I did run a Malwarebytes scan and came up completely clean.

I wrote to Caskers and they claim I am the only one to have reported this problem; therefore, it must be a false positive.

I am at a loss as to how to proceed. They continue sending me email offers, but I cannot access the site any longer.

Any ideas or help will be appreciated.

Thanks,

KenB
« Last Edit: December 08, 2014, 08:35:22 PM by Ken37 »

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37594
  • Not a avast user
Re: "Scriptaculous" Threat Detected
« Reply #1 on: December 08, 2014, 08:36:07 PM »
URL:mal means url or ip is blacklisted for whatever reason, there can be many

Checking url and ip i could not find anything so you may report this to avast lab  https://support.avast.com


Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 89239
  • No support PMs thanks
Re: "Scriptaculous" Threat Detected
« Reply #2 on: December 08, 2014, 08:55:50 PM »
I'm guessing that this happens when you have logged in as I have tried to view the site (using firefox 34.0) and don't initially get an alert. Basically I'm given a member logon popup screen and can't get into the site.

That said looking at the Page source there are ton of script calls to run scriptaculous based scripts but those are on the caskers.com site not going out to the URL/IP address in the alert image.

Looking at your image, it isn't the actual caskers.com that is triggering the alert -  there is something making the connection to hxxps://107.191.39.185 on port 443 and running a javascript. I'm always ware of URL that are given as an IP address as it is never obvious where it will take you.

URL:Mal generally means the site or IP is considered malicious. So I would say that IP address in your image is considered malicious.

Basic checking didn't find anything - but that IP address actually goes back to skin.caskers.com - however, what is interesting is the site is running out of date software. This can make the site vulnerable to exploit.

sitecheck.sucuri.net/results/107.191.39.185
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.4.6112 (build 24.4.9067.762) UI 1.0.803/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline Ken37

  • Newbie
  • *
  • Posts: 4
Re: "Scriptaculous" Threat Detected
« Reply #3 on: December 14, 2014, 03:23:38 PM »
I am still unable to access <caskers.com> as long as AVAST is active. I have written to the company and they report that the problem must be on my end. Last night, I was at a friend's house who uses AVAST on a Mac (vs. PC) and he had no trouble at all accessing and logging in to Caskers.com. I cleared my cache and tried again this morning and AVAST still reports "Threat Blocked" (see uploaded image) although it is no longer singling out "scriptaculous" but "varien/configurable.js".

This morning, I checked:
  • Sucuri - shows no blacklistings, only some outdated Apache software (v2.2.22)
  • Virustotal - shows a detection ratio of 0/61 and "Clean site" for everything listed
  • Metascan - shows 0/13 sources found a thread


It appears as though some redirection is occurring, but I am not sure what to do about it. I would like to continue purchasing from this site. Could the problem be on my computer? I checked my wife's PC, running the same AVAST software, and she is unable to connect to Caskers also.

Any suggestions?

Thanks, Ken
« Last Edit: December 14, 2014, 03:26:07 PM by Ken37 »

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 89239
  • No support PMs thanks
Re: "Scriptaculous" Threat Detected
« Reply #4 on: December 14, 2014, 03:56:43 PM »
I suspect that the avast for Mac differs from the windows version in different areas.

The area I think where this may differ is in HTTPS scanning by the Web Shield in the windows version of avast - if that isn't present in the Mac version of avast it wouldn't be scanning the content.

I don't know why the site is using an IP address rather than a user friendly URL (often used to obfuscate things). There is a possibility that avast could be blocking the IP address rather than the actual .js file - this could be if other domains are also on this IP that have been infected.

Have you tried a different browser when trying to connect to this site ?
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.4.6112 (build 24.4.9067.762) UI 1.0.803/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33926
  • malware fighter
Re: "Scriptaculous" Threat Detected
« Reply #5 on: December 14, 2014, 05:04:58 PM »
Hi Ken37 & DavidR,

As you can see here: http://jsunpack.jeek.org/?report=fc04ab34108a840ff2fb42da98d69aa44240a521
(Above link for security research only, open up with NoScript extension active and inside a VM/sandbox)
there is something found up while this script is running from site: -js.caskers.com/js/scriptaculous/controls.js
Quote
decodingLevel=0] found JavaScript
     error: line:441: SyntaxError: missing } after property list:
          error: line:441: nextText: "<i class="icon-chevron-medium-right"></i>",
          error: line:441: .....................................^
     error: line:3: SyntaxError: missing = in XML attribute:
          error: line:3: <!DOCTYPE html>
          error: line:3: ..............^
     suspicious: maxruntime exceeded 10 seconds (incomplete)
When the spaces become fixed with a beautifier we see what is wrong: a missing comma after rules data object!
-caskers.com/js/scriptaculous/effects.js
undefined variable Element
     error: undefined variable Prototype
     error: undefined variable Class
Wp-scriptaculous.js errors can be caused by associated registry keys, corrupt downloads (incomplete see above) and/or virus and malware infection. We had an earlier scriptaculous issue discussion here: https://forum.avast.com/index.php?topic=74911.5

The site IP is blocked because of SPAM bot activity: http://myip.ms/view/blacklist/916829436/Blacklist_IP_54.165.180.252
listed activity from Proximic Web Crawler - Website Extractor with a latest visit recorded at Dec. 14th., for me that is to-day!


Site also did not survive a Spam Check: Suspicion of Spam

...his whisky, which was made to replicate the original 1963 whisky released in the united states, are available worldwide....

As in how far this Outdated Software plays a role is yet unknown to me: Outdated Web Server Apache Found: Apache/2.2.22
PHP issue: http://www.ubuntu.com/usn/usn-2391-1/

I get a "Title   301 Moved Permanently"
[Location] htxps://js.caskers.com/geturl.php?url=js/cdnjs/https:/
          -> Suspicious url(NULL)
[script] htxps://js.caskers.com/js/prototype/prototype.js
      -> user information check
Code: [Select]
The document has moved <a href="htxps://www.caskers.com/">here</a>.</p><hr>

Site could hijack your browser...some warnings: http://www.dnsinspect.com/caskers.com/1418571753
Netcraft Risk Rating red 1 -> http://toolbar.netcraft.com/site_report/?url=https%3A%2F%2Fwww.caskers.com

Transaction Protection
Certified SSL is used to encrypt transactions
SSL Issuer: PositiveSSL CA 2
SSL Expires: 2015-04-09 23:59:59 UTC

polonus
« Last Edit: December 14, 2014, 05:13:57 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline Eddy

  • Avast Evangelist
  • Maybe Bot
  • ***
  • Posts: 31078
  • Watching (over?) you
    • Malware removal, Biljart and other things.
Re: "Scriptaculous" Threat Detected
« Reply #6 on: December 14, 2014, 05:43:55 PM »
Ken,

there is nothing you can do other then telling the site owner to fix the issues.
As long as they keep using outdated software (Apache), they site will stay blocked.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 89239
  • No support PMs thanks
Re: "Scriptaculous" Threat Detected
« Reply #7 on: December 14, 2014, 06:05:54 PM »
Ken,

there is nothing you can do other then telling the site owner to fix the issues.
As long as they keep using outdated software (Apache), they site will stay blocked.

I rather doubt avast is blocking because of outdated server software (which is vulnerable to exploit), as avasts scan (web shield) doesn't go to this depth.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.4.6112 (build 24.4.9067.762) UI 1.0.803/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline Ken37

  • Newbie
  • *
  • Posts: 4
Re: "Scriptaculous" Threat Detected
« Reply #8 on: December 14, 2014, 07:14:01 PM »
Thank you, Polonus, DavidR, and Eddy. I copied material from your various posts and sent to my contact at Caskers.com. It is now up to their technical personnel to follow up and take these issues seriously. At least this time I was able to offer them loads of pretty compelling evidence!

I appreciate the assistance and technical research you provided. I will post an update if I hear anything back from Caskers.

Thanks, Ken