Author Topic: Suspicious Script  (Read 1756 times)

0 Members and 1 Guest are viewing this topic.

Offline Mr. Consumer

  • Full Member
  • ***
  • Posts: 134
Suspicious Script
« on: November 24, 2021, 05:38:21 PM »
A suspicious adware related script is loaded on the site:
Code: [Select]
https://usersdrive.com/Direct link to the script:
Code: [Select]
https://usersdrive.com/sw.jsVirustotal: https://www.virustotal.com/gui/file/b4d0636ff0f1dc289e603b054e769811676990ea4794419f61c8726daf1247bd/detection
The script is also detected by HTTPS scanners of ESET and Kaspersky's web protection module, which is not shown on Virustotal.
Kaspersky's detection:
https://opentip.kaspersky.com/b4d0636ff0f1dc289e603b054e769811676990ea4794419f61c8726daf1247bd/
Bitdefender created the signature after I submitted to them a couple of months ago.

Maybe Avast should detect it too by its HTTPS scanner.

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: Suspicious Script
« Reply #1 on: November 24, 2021, 10:32:36 PM »
It is a legit script that is abused by Razy malware malcreants to send malcreants statistics.

Re: https://coingeek.com/new-crypto-malware-versatile-extremely-dangerous/

Avast heuristics may detect this as a potential unwanted/unsafe application.

The site you mention is being blacklisted by McAfee's: https://sitecheck.sucuri.net/results/https/usersdrive.com/sw.js

File-sharing services like free usersdrive dot com should always be frowned upon. Free is not always free in the way you may think.

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline Mr. Consumer

  • Full Member
  • ***
  • Posts: 134
Re: Suspicious Script
« Reply #2 on: November 26, 2021, 12:10:17 PM »
Thanks for your input. Maybe Avast is not interested in adding any detection for it.

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: Suspicious Script
« Reply #3 on: November 26, 2021, 06:04:31 PM »
Hi Mr. Avast,

Cannot comment, really, because we all here are volunteers. We do not have influence in such respects.
It is for avast team to decide what definitions they will launch for genuine and also for heuristic detections.
Understandable, it is their product, their definitions....

Would be interesting to find what threat analyzing programs will come up with,
apart from what VT has to show us.

As long as JavaScript is around, since the days of Brendan Eich developing the language,
it has been a two-pointed sword in many respects.
I work retire.js, node.js. It still stays a real can of worms, somewhat like what php is in the hands of many developers.

A script blocker of sorts like NoScript and  uMatrix (alas now left by it's developer, probably because upcoming extension restrictions)
is a solution that always works against such threats (all of them, even those foreseeable in the future).

But end-users also have to reckon with what Big Tech and overseeing organizations have decided for us.
That's the world we live in. Have a good week.

polonus (volunteer third party cold recon website security analyst and website error-hunter)
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline Mr. Consumer

  • Full Member
  • ***
  • Posts: 134
Re: Suspicious Script
« Reply #4 on: November 28, 2021, 01:39:43 PM »
I see. Yeah, I know about NoScript and have used it in the past briefly in the past. I mainly used uMatrix for a long time and even uBlock Origin in medium/hard mode. They are great for protection, but configuring them can be cumbersome, specially initially.
Then I got lazy and even gave up uBO medium mode. So now just using easy mode.
But this particular script is a first party script, not third party, so that's an issue for uBlock Origin.
Avast still hasn't added any detection, so looks like they don't consider it dangerous enough. It's alright I guess since you said this script itself is a legit script. So, not a problem.

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: Suspicious Script
« Reply #5 on: November 28, 2021, 10:18:34 PM »
Hi Mr. Avast,

I also work Browser JS Guard extension inside epic browser to be alerted to hidden iFrames-redirections, unauthorized redirections, encoded javascript, external domain requests and trackers on websites (this is an extension supported by cert-in and the government of India). Found this extention well worth installing.

In the case of apparent legit scripts that may be or come abused, there must obviously be a suspicious way to get them onto your device. They do not land there or aren't produced in a way as your operational system is used to get them (have such files launched, and in/from different places).

It can also be files renamed by malcreants to show off as legit ones. So do not open phishy links, mind alerts by the above extension etc. When something feels risky or not hunky dory, it often is. Curiosity killed the proverbial animal, you know.

Have a good week with best regards from,

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!