avast web shield blocked playlist and trojan : JS:ScriptIP-inf[Trj.]

[zenzaney]

i was visiting my usual music website which is playlist.com. the background scanner is what found and blocked the trojan horse JS:ScriptIP-inf [Trj. it said it was found in this catagory C:\Program Files\Mozilla Firefox\firefox.exe.
avast found it 2/23/12 1:30 pm. im using avast free edition and am using fire fox on windows xp.

this is the pop up message that keeps popping up
avast web shield has blocked a harmful site or file
object: [suspicious]www.playlist.com/I>{gzip}[/suspicious]
infection: JS:ScriptIP-inf[Trj.]
process:file://C:\Program Files\Mozilla Firefox\firefox.exe
 i went to vscan and it says the status of the site is infected but again only avast is the one that shows it is.
this is the MD5 Hash: fb771d24e5d388652c7af282cd0a75e6
this is the SHA1 Hash: 9f16b2c700d6b398ae6c3801398b45abfb517a87

the scan found nothing on avast
malwarebytes found nothing as well

the only AV finding problems with this site is avast. i wonder if its a fp.

[Pondus]

Sucuri - http://sitecheck.sucuri.net/results/http://www.playlist.com/

Malware entry: MW:IFRAME:HD202  http://sucuri.net/malware/malware-entry-mwiframehd202


This page seems to be <suspicious>  1 hidden external link found.
http://www.UnmaskParasites.com/security-report/?page=www.playlist.com



The suspicious iframe link to this...see urlQuery   http://urlquery.net/report.php?id=24316

[zenzaney]

i have visited this site multiple times and there has never been anything wrong til now. the site has just been tagged as a ba site today. why is that? did it take avast that long or is it something that just happened to the site itself recently or what?

[Pondus]

i have visited this site multiple times and there has never been anything wrong til now. the site has just been tagged as a ba site today. why is that? did it take avast that long or is it something that just happened to the site itself recently or what?

Every 3.6 seconds a website is infected
http://www.scmagazine.com/every-36-seconds-a-website-is-infected/article/140414/

[zenzaney]

ok so if this site were to say remove outside links to all social networking sites and clean up there web site. would they be put on the safe list?

[spg SCOTT]

Hi zenzaney, welcome to the forum

Please can you modify the link, to prevent others potentially becoming infected. (change http to hXXp) Thanks.

The iframes that sucuri is pointing to are probably worth noting. They are or zero size and are in a place that is suspect. That said, avast is not alerting on that. (though maybe it should be)

avast is alerting on a script that appears to be a "splash message" that loads an iframe. This iframe is pointing to a site that is blocked by the network shield.

This is why the detection is called JS:Script...since it is a script, calling an iframe, calling a blocked site.

Not sure on the actual detection of that script/site, since avast is the only one to detect on VirusTotal, however I would be cautious for the moment.

Scott

[Pondus]

would they be put on the safe list?

They are not on any list....avast is not reporting Malware URL...and Sucuri say: not blacklisted

[zenzaney]

i have one more question about this. i have adblock for fire fox and it blocks most ads. would i be able to block this hidden iframe so it wouldnt be able to attack my computer and still be able to use the site safely?

i have recently downloaded noscript for firefox so this should help out with that javascript ,iframe virus problem.

[polonus]

Just on the link details: <IFrame> hidden link - htXp://rc.rlcdn.com/233.html redirecting to htxp://rc.rlcdn.com/233.html?redirect=1&rl=815e976a1799d4dd
If the decoded file from there is being unpacked we see:  src='htxp://segment-pixel.invitemedia.com/set_partner_uid & src='htxp://d.agkn.com/pixel/1447/!?uuid=e8a622b80d202a933d3628ee20b4d78593efe61f' / & src='htxp://bcp.crwdcntrl.net/5/c=510/tp=RAPL/tpid=8f0fe7d35880572a8378eed15ac1b79ecf3aea905ef07a2a16451df9542c07cccd86dd5f16136f68' / & src='htxp://d.xp1.ru4.com/activity?_o=37516008&_t=lr_cm'
Here we see a js-void problem: htxp://jsunpack.jeek.org/?report=28a7c2d130b1538e5db0bd1aa98ce71f11a5052b (visit this link only when security savvy, with ample script blocking and on a VM)

polonus

[zenzaney]

ok im not even sure what a javavoid is. im pretty good with computer stuff and i know vm stands for virtual machine but im not that good with knowing what half this stuff means unless explained in more general terms.

[polonus]

The javascript void function can be desirable when you need to call another function without a redirect to a page refresh.
A hidden iFrame is re-directing to the source page given - src= etc.
Here is the bad iFrame detektor report for that site:
Check took 10.68 seconds

(Level: 0) Url checked:
hxtp://www.playlist.com/
Zeroiframes detected on this site: 1
No ad codes identified

(Level: 1) Url checked: (iframe source)
hxtp://rc.rlcdn.com/233.html  * 
Zeroiframes detected on this site: 0
No ad codes identified

(Level: 1) Url checked: (script source)
htxp://www.playlist.com/scripts/remote_logger.js
Zeroiframes detected on this site: 0
No ad codes identified

(Level: 1) Url checked: (script source)
htxp://www.playlist.com/prod/scripts/127/opt/std_opt.js
Google code detected (Ads, not a cheater)
Zeroiframes detected on this site: 0
No ad codes identified

(Level: 2) Url checked: (iframe source)
hxtp://www.playlist.com/prod/scripts/127/opt/javascript:false;
Blank page / could not connect
No ad codes identified

(Level: 2) Url checked: (iframe source)

Zeroiframes detected on this site: 0
No ad codes identified

(Level: 2) Url checked: (iframe source)

Blank page / could not connect
No ad codes identified

(Level: 2) Url checked: (iframe source)
htxp://npgapps.com/client_files/metacafe/megamovie2/megamovie.html?ord={ord}
Zeroiframes detected on this site: 0
No ad codes identified

(Level: 3) Url checked: (iframe source)
htxp://npgapps.com/client_files/metacafe/megamovie2/+ad.url+
Blank page / could not connect
No ad codes identified

(Level: 2) Url checked: (iframe source)
htxp://www.playlist.com/prod/scripts/127/opt/javascript:false;
Blank page / could not connect
No ad codes identified

(Level: 2) Url checked: (script source)

Zeroiframes detected on this site: 0
No ad codes identified

(Level: 2) Url checked: (script source)

Blank page / could not connect
No ad codes identified

(Level: 1) Url checked: (script source)
htxp://www.google.com/jsapi
Zeroiframes detected on this site: 0
No ad codes identified

(Level: 2) Url checked: (script source)
hxtp://www.google.com///:
Blank page / could not connect
No ad codes identified

(Level: 2) Url checked: (script source)
hxtp://www.google.com/+b+
Blank page / could not connect
No ad codes identified

(Level: 1) Url checked: (script source)
htxp://www.playlist.com/prod/scripts/127/phoenix/sections/front-page.js
Zeroiframes detected on this site: 0
No ad codes identified

(Level: 1) Url checked: (script source)
htxp://www.google-analytics.com/ga.js
Zeroiframes detected on this site: 0
No ad codes identified

polonus

[zenzaney]

ok thanks for your help. im going to have this closed now. im keeping an eye on this site and have taken every precaution possible while vising since i no longer have any warnings but will stay on alert anyways.

[mrsross]

here is what I do when I suspect the site to be infected, correct me if I'm wrong. I ping it to see it's IP:

C:\Users\>ping playlist.com

Pinging playlist.com [65.49.37.165] with 32 bytes of data:
Reply from 65.49.37.165: bytes=32 time=88ms TTL=55
Reply from 65.49.37.165: bytes=32 time=87ms TTL=55
Reply from 65.49.37.165: bytes=32 time=87ms TTL=55
Reply from 65.49.37.165: bytes=32 time=88ms TTL=55

Ping statistics for 65.49.37.165:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 87ms, Maximum = 88ms, Average = 87ms

C:\Users\>

then do an IP lookup on it to see if it's featured on any of the DNSBLs
and it shows that it's not on any major DNSBL


bl.spamcop.net
pbl.spamhaus.org
cbl.abuseat.org
IP.v4BL.orgsbl.spamhaus.org
xbl.spamhaus.org

Btw I'm not sure why Avast doesn't have it's own DNSBL