Torjan Horse, or "false positive"?

[DavidR]

Thanks everyone for confirming that the site is still infected.  It's a great pity as I need to buy some particular pieces of furniture for my own business (their prices are lower than average), but the owner doesn't want to hear that he needs a professional to come in and tidy up his computer and website.  Ah well, if he can't be persuaded, I will have to shop elsewhere.
<snip> 

Perhaps you want to point them to this topic, though that really shouldn't be your responsibility. You have already gone further than most would do by reporting it to them.

Unfortunately many AVs aren't even looking for this problem (hacked sites, inserted scripts, etc.) much less detect them. So many visitors will be blissfully unaware that they are at risk by visiting the site. The script at googie-anaiytics.net could change at any time so the potential payload isn't something that can be determined.

However, one piece of good news, it looks like the googie-anaiytics.net site has been taken down, so at the moment although the inserted script is active, the site at the end is down, again that is subject to change and shouldn't be relied on.

[polonus]

Hi DavidR,

This is a cross site scripting attack used for ecommerce, read about the security issue here:
http://forums.oscommerce.com/topic/286360-security-issue/
index.html hacked through PHP,
good write-up here: http://www.whitefirdesign.com/resources/query-google-malware.html

polonus

[DavidR]

Yes but it doesn't make any difference how it was set, the owner thinks his site is clean.

Until they accept they have a problem I guess they aren't going to address the cause if they don't accept the symptom. Only then will they seek help.

[Stran05]

Avast catches HTML:IFrame-DB[Trj] in the Shopping Cart of this website and fortunately it was caugfht by Avast! But I am already browsing with Sandboxie so that already reduces the chance for infection.

[rdmaloyjr]

yes i also got virus alert while opening http://riversidefurniture.co.uk/shoppingcart/

trojan horse virus

No virus (or trojan) alert while opening hxxp://riversidefurniture.co.uk/shoppingcart/.

I guess Opera is blocking the malware before avast! 5 can detect it.

Strange, on my 7 64bit computer gets a virus warning from hxxp://riversidefurniture.co.uk/shoppingcart/, but not my XP sp3 box.

The only difference is the firewalls and on my XP I have Zemana (Zemana won't install on 64bit).

[wisteria]

David wrote: Perhaps you want to point them to this topic, though that really shouldn't be your responsibility. You have already gone further than most would do by reporting it to them.

The reason I'm taking such notice is because I want to become a trade customer of theirs!  However, they insist that I browse their website, choose want I need for my own business and they will email the trade prices.  They don't have a printed trade price list as they've only just started selling to other traders.

I received another reply from the company this morning. They are requesting that I use a different computer to access their website. Why?   They reckon that if the virus/Trojan is still hanging around, then it can't be anything serious as other customers are using the shopping basket with no problems at all

I will show this thread to the furniture company.  I hope they will then realise that I'm not talking rubbish. I'm no techie (as you can tell), so it's little wonder the company isn't taking me seriously.   

[wisteria]

Another thought - can anyone please confirm that if I ignore the Avast Trojan warning and just browse the site, without using the shopping basket/cart, could my computer still get infected?  I'm not clear if it's only the shopping basket system on the furniture site that's infected, or the entire website.

[spg SCOTT]

Another thought - can anyone please confirm that if I ignore the Avast Trojan warning and just browse the site, without using the shopping basket/cart, could my computer still get infected?  I'm not clear if it's only the shopping basket system on the furniture site that's infected, or the entire website.

Well the only option is to abort connection. And when that happens you cannot load the page. Once you click enter to the site, the alert appears.

So I don't think that that would be possible. I wouldn't risk it personally... (I could be wrong though)

-Scott-

[polonus]

Hi wisteria,

They have to acknowledge the fact their site has suspicious code and that certain users could have been put at risk.
And the avast alert won't go away until they clean up their act. One could use NoScript in the browser making the malcode can do no harm, but they cannot ignore the fact avast blocks the suspicious code. The analyzed resource contains one or more syntax errors. This may affect the detection of malicious code, so this could be spycode....

Code: [Select]

src='hxtp://googie-anaiytics.net/ga.js' type='text/javascript' mind the i=l change, that domain was specifically hosted for this purpose, it is a malcode scam, and cleverly done by the malcreants: http://www.google.com/support/forum/p/Google+Analytics/thread?tid=3d83e46dc03910ad&hl=en
so a site posing as google-analytics,

polonus

[wisteria]

Thanks Scott and Polonus,

Of course, I'd forgotten that I wouldn't be able to ignore the Avast warning on this computer, abort being the only option.  I could try the public library computer to browse the site, although that would be unfair on the library if they are not fully protected!

As you all say, until the company acknowledges the fact that their computer still harbours a Trojan horse, then there's nothing I can do.  You can lead a horse to water...as they say.

[polonus]

Hi wisteria,

Users of IE are even at greater risk, because of 
     info: ActiveXDataObjectsMDAC detected Microsoft.XMLHTTP *
     info: ObfuscationPattern detected location eval
     info: [decodingLevel=0] found JavaScript

polonus

[wisteria]

Hi Polunus, I'm using IE8, sometimes Firefox.  Incidentally, I've already attempted to explain to Riverside Furniture about Google analytics (with an i instead of an l) malware attached to their shopping basket. I've also alerted them to discussions about this. There's no reply from them as yet, so either they are working on getting rid of the malware and connecting with the real Google analytics - or they have written me off as a loony 

[wisteria]

Update:  Well, I've tried and tried to convince the owner of Riverside Furniture that their computer is infected, but they're still of the opinion that my anti-virus software is over sensitive.  This is  because other customers have experienced no problems at all in accessing their site. Also, they say they've tried to access their site on a few other computers, again with no problems.

Furthermore, they have reported all of this to their 'webmaster' (a misnomer?)  Amazingly, the webmaster reckons it will be too difficult to find the miscreant code, like looking for a needle in the proverbial haystack!  Therefore, they will ignore it (more or less). And yet, you wizz kids here found the problem within minutes, maybe even seconds!

I've heard back from Avast technical support. They will review the infected site in the Avast 'laboratory' and will remove the Trojan warning if it turns out to be a 'false positive'.  

[DavidR]

The problem is it isn't a false positive, the site has been hacked and the inserted script tag is there, until the site does something about it and a) removes it and b) closes the vulnerability that allowed the site to be hacked in the first place.

I can't believe that they can't believe the results shown on this topic.

This situation currently is that they are fortunate in that the malicious site that this script tag points to has been taken down. Should that situation change or the same vulnerability that inserted the script could just as easily do it again to an active site. Then their customers or potential customers would be placed at risk, so you have to wonder at their approach to customer security and how far that extends. I certainly wouldn't trust any payment process for instance if that is their cavalier attitude.

[spg SCOTT]

Apparently ctrl + F is too complicated for the webmaster...

And enven if that wasn't possible, the picture here would show roughly where it is...