Author Topic: JS:ScriptIP-inf [Trj] on a legit site? (Read 24790 times)

raskyred · « **on:** May 17, 2009, 06:50:53 PM »

Hello,

I'm new to this site and have a question for you based on other threads I have read.

There is this web site that sells beer paraphernalia that I've ordered from in the past. When I checked it out last week to buy some new stuff, Avast 4.8 Home popped up with a virus warning about JS:ScriptIP-inf [trj]. Is that the iframe infection that I've read about on here? Any chance my system was infected? The weird thing is the warning will pop up even when I Google the company's name (Global Beer). I asked some other people to check it out and they didn't report a similar problem, which makes me nervous that it's my system.

Thanks

John2009 · « **Reply #1 on:** May 17, 2009, 06:58:48 PM »

Usually websites like that are frequent targets of iframes and JS:scripts. and avast is accurate in those detections. Wait for an evangeliest. It is very unlikely its a FP though.

polonus · « **Reply #2 on:** May 17, 2009, 07:13:16 PM »

Hi raskyred,

Some websites use <img> tag but link a malicious javascript (.js) file. Most probably XSS attack. Well can you give us the link for which you got the alert made non-clickable, like for instance:
hxtp://www.mymaliciouslink.org or wxw.mymaliciouslink.org
Then we can give you a clue what is wrong there or you can inform the webmaster of the site. Is there user input on the site possible, then there a hacker could have had too much access as well.
If avast alerted it also prevented that you were directed to the real malcode downloads, so it has more than likely saved your glorious b....d here,

polonus

raskyred · « **Reply #3 on:** May 17, 2009, 07:23:59 PM »

hXXp://www.globalbeer.com/

Thanks

Jtaylor83 · « **Reply #4 on:** May 17, 2009, 07:34:14 PM »

There is an obfuscated/suspicious javascript on the site.

Quote

Checking: hxxp://www.globalbeer.com/Scripts/AC_RunActiveContent.js
File size: 3233 bytes
File MD5: db8f4e6949c0fc0fc9cadf85d02e099a

hxxp://www.globalbeer.com/Scripts/AC_RunActiveContent.js - Ok

polonus · « **Reply #5 on:** May 17, 2009, 07:44:40 PM »

Hi raskyred,

Yes that code is there but it does not link anywhere, now:
The requested URL /scripts/ac_runactivecontent.js was not found on this server.

Code: [Select]

^/script^
^script src="Scripts/AC_RunActiveContent.js" type="text/javascript"^^/script^

Probably that was the code [modified by me for security reasons] that gives problems is here on that site,
but the following code can also be exploited with an image exploit. if the website input allows enough maneuverability for a hacker to insert this!

Code: [Select]

^script language="JavaScript" type="text/javascript"^
^!--
  // Hit counter code for Webstat.net
  var data = '&r=' + escape(document.referrer)
	+ '&n=' + escape(navigator.userAgent)
	+ '&p=' + escape(navigator.userAgent)
	+ '&g=' + escape(document.location.href);
  if (navigator.userAgent.substring(0,1)>'3')
    data = data + '&sd=' + screen.colorDepth 
	+ '&sw=' + escape(screen.width+'x'+screen.height);
  document.write('^i[b]mg alt[/b]="Website Counter" width="0" height="0" border="0" hspace="0" '+'vspace="0" src="hxtp://www.webstat.net/basic/counter.php?i=21095' + data + '">');
// --^...........
/script

polonus

DavidR · « **Reply #6 on:** May 17, 2009, 08:40:28 PM »

The script exists and I have downloaded it, if you tagged it on to the end of the end of the URL posted it works as the src= is a relative address.

Virustotal finds nothing wrong with that script, http://www.virustotal.com/analisis/8445af97896e3f29377863e3d68d4176, so it has to be something else, there is also a swf in the AC_RunActiveContent.js file.

I had a quick look and I cant see anything obvious, so it has to be something else.

Edit: if I remember rightly webstat.net is on the network shields malicious software list. It is just tested wXX.webstat.net and the network shield blocks it, so it looks like that is the issue here, the access to webstat.net.

polonus · « **Reply #7 on:** May 17, 2009, 10:30:12 PM »

Hi DavidR,

Using webstat.net_code on a website is putting one at risk,
so that could well be at the core of the problems in this case.

The last time malicious content was found on that site (webstat.net that is), was 2009-05-17.
Malicious software includes 121 scripting exploit(s).

This site was hosted on 1 network(s) including AS21844 (THEPLANET)
This software has infected 59 domains, e.g. lts.ru/, saibabaofindia.com/, homepage.eircom.net/~ranunculaceae/,

Here is another example where malcoders abused webstat counter code:

http://malwaredatabase.net/blog/index.php/2008/09/04/antivirus-2009-brought-to-you-by-motigo/

polonus

DavidR · « **Reply #8 on:** May 17, 2009, 10:50:10 PM »

Yes if this webstat.net entry was placed there by the owner/webmaster, as a counter then there are many other stats counters, etc. that don't come with this history.

It could of course be fake posing as a web counter, as who know a web counter that doesn't ("Website Counter" width="0" height="0" border="0" hspace="0" '+'vspace="0") display anything

raskyred · « **Reply #9 on:** May 17, 2009, 10:58:33 PM »

So is there no threat since the file is missing?

I find it odd that a few of my friends tried visiting the site (with Avast installed) and didn't receive a warning like mine.

Thanks for all your help.

polonus · « **Reply #10 on:** May 17, 2009, 11:31:52 PM »

Hi raskyred,

Well a site can get hacked and can be cleansed again, and can get hacked anew, some malware downloads are downloading secure and insecure items randomly to evade detection. The world wide web is like an ever changing ocean and so are the malcode streams in this ocean, but lately there is a lot of bad malcode weather out there, well I put this a bit poetically, but the reality is harsh enough, and you will certainly understand what I mean to say

polonus

DavidR · « **Reply #11 on:** May 18, 2009, 12:00:29 AM »

Quote from: raskyred on May 17, 2009, 10:58:33 PM

So is there no threat since the file is missing?

I find it odd that a few of my friends tried visiting the site (with Avast installed) and didn't receive a warning like mine.

You're welcome.

Incorrect, it is the fact that the file is missing which is causing the error 404 page to be displayed and triggers the alert as it appears to be that which is infected and not the favicon.ico file.

I don't know what your friends avast settings are or if there are other factors in the mix, so I can't say. What I can say is that along with yourself we in this topic have all had alerts.

Your other friends that don't have avast installed will be blissfully unaware that this fast spreading type of attack is going on as very few AVs even check for it and avast is IMHO the top of the pack.

wighty · « **Reply #12 on:** June 08, 2009, 10:58:33 PM »

I was wondering about the present status of this issue on www.globalbeer.com? I received their newsletter today and tried to access the website and got an Avast! warning about JS:ScriptIP-inf [Trj]. I aborted the site access, but am curious if this is a real potential concern or a FP...

CharleyO · « **Reply #13 on:** June 08, 2009, 11:43:24 PM »

***

The website is still infected with webstat.net as I have just tested it.

***

DavidR · « **Reply #14 on:** June 08, 2009, 11:46:05 PM »

I have visited it again and I can see nothing obvious, so it looks like it is the same as reported in Reply #5, the hit counter script that accesses Webstat.net a site that is blocked by the network shield.

I have submitted it again for analysis, but I doubt anything will change unless if the issue is with the blocked webstat.net.