Author Topic: Zscaler does not flag, avast Webshield blocks as JS:Iframe-FH [Trj]  (Read 5894 times)

0 Members and 1 Guest are viewing this topic.

Offline polonus

  • Avast √úberevangelist
  • Probably Bot
  • *****
  • Posts: 33926
  • malware fighter
See: http://zulu.zscaler.com/submission/show/fe83f86ee97110233ea36510d56d6ee6-1333725183
Web rep 40/100: http://www.webutation.net/go/review/art-slub.com.pl
Bitdefender TrafficLight gives the page as unsafe.
Avast webshield protects us by  blocking this as JS:Iframe-FH [Trj],

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline !Donovan

  • Web Analyst
  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 2219
    • The WAR Against Malware
Re: Zscaler does not flag, avast Webshield blocks as JS:Iframe-FH [Trj]
« Reply #1 on: April 06, 2012, 06:26:30 PM »
Using Web-Sniffer I get a 200 error, however using my special source code viewer I could view the source. :)


Line 472 looks suspicious. Only smashed together coding and directly after the end jQuery tag.

Fixing up the coding, by adding spaces and tabs as necessary, I can clearly view the suspect code. See attached.



And yes, this detection is correct ;)
Familiarize Yourself! | Educate Yourself! | Beautify Yourself! | Scan Yourself!
"People who say it cannot be done should not interrupt those who are doing it."

Offline polonus

  • Avast √úberevangelist
  • Probably Bot
  • *****
  • Posts: 33926
  • malware fighter
Re: Zscaler does not flag, avast Webshield blocks as JS:Iframe-FH [Trj]
« Reply #2 on: April 06, 2012, 06:37:08 PM »
Hi !Donovan,

Thank you for the heads-up on that, valid avast malcode block. Thanks for analyzing that for us,

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

chochor

  • Guest
Re: Zscaler does not flag, avast Webshield blocks as JS:Iframe-FH [Trj]
« Reply #3 on: April 22, 2012, 03:00:39 PM »
Hey, i have this trojan on my Website since friday 22 april 2012, i`m looking for help to solve this problem, please help. My e-mail bartek@lingerie4u.pl, my webpage wxw.lingerie4u.pl
« Last Edit: April 22, 2012, 03:22:25 PM by chochor »

Asyn.B

  • Guest
Re: Zscaler does not flag, avast Webshield blocks as JS:Iframe-FH [Trj]
« Reply #4 on: April 22, 2012, 03:18:39 PM »
Hey, i have this trojan on my Website since friday 22 april 2012, i`m looking for help to solve this problem, please help. My e-mail bartek@lingerie4u.pl, my webpage wxw.lingerie4u.pl

Please deactivate your link...!!!
-> Use wxw instead of www (See above..!)
http://zulu.zscaler.com/submission/show/7917bf94ed0fee5bc56a206bc920db6b-1335100563

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37585
  • Not a avast user
Re: Zscaler does not flag, avast Webshield blocks as JS:Iframe-FH [Trj]
« Reply #5 on: April 22, 2012, 03:42:25 PM »
Hey, i have this trojan on my Website since friday 22 april 2012, i`m looking for help to solve this problem, please help. My e-mail bartek@lingerie4u.pl, my webpage wxw.lingerie4u.pl
Sucuri report:  http://sitecheck.sucuri.net/results/http://www.lingerie4u.pl/
Malware entry: MW:IFRAME:HD564   http://sucuri.net/malware/malware-entry-mwiframehd564

virustotal
https://www.virustotal.com/file/3de58a51e6968c34c03d12dc4e2e54cd881ed9b1056c49ca121735553077ff29/analysis/1335102050/

wepawet - suspicious
http://wepawet.iseclab.org/view.php?hash=a9e9fb8e6b8b1fb267e5fceb299ebf1b&t=1335102390&type=js
« Last Edit: April 22, 2012, 03:50:33 PM by Pondus »

Offline !Donovan

  • Web Analyst
  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 2219
    • The WAR Against Malware
Re: Zscaler does not flag, avast Webshield blocks as JS:Iframe-FH [Trj]
« Reply #6 on: April 22, 2012, 03:45:39 PM »
Hi chochor,

A very infected site you have indeed. You are lucky that none of the major have decided to blacklist your site.


First, your jQuery file. (jquery-1.3.2.min.js)
Sucuri says on line 19, from "If(J===G)" down, contains the exploit. However, I did not see anything apparent in that script and decided to upload the part that looked like regular jQuery coding to VirusTotal. See: https://www.virustotal.com/file/3b992588ed7d8d7eac046b7f7f9ec353c9346004ab7645981deb0dddff5bf221/analysis/1335100855/

Thus, the coding before and after the /*qpi*/ tag contains the exploit. See attachment #1 for readable malscript.


I am unable to access jquery.jqzoom-1.0.1.js.

jquery.jqzoom1.0.1.js contains the same exploit. Line 1124. See attachment #2 for script to be removed.

Same with jquery.hoverIntent.minified.js and jquery.fancybox-1.3.1.js. Remove the coding before and after the /*qpi*/ tag.



I suggest you upgrade to jQuery 1.7.2.
http://docs.jquery.com/Downloading_jQuery


Your CSS files are NOT malicious. Zulu is warning of infection because they have links to your site, which is malicious.


Now for your HTML pages.

The homepage of your site is indeed infected. Check line 1518. Notice the <!--qpi--> and <!--/qpi-->. Remove everything inbetween.

Same with your 404 pages, which I assume are generated by your 404javascript.js. Remove the coding before and after the <!--qpi--> tags.

bestsellery-c-96.html, nowosci-c-31.html, and promocje-c-113.html also contain the same exploit mentioned above.

The following PHP pages do as well:
advanced_search.php
contact_us.php
create_account.php
shopping_cart.php



Refrence: http://zulu.zscaler.com/submission/show/7917bf94ed0fee5bc56a206bc920db6b-1335100086
http://sitecheck.sucuri.net/results/http://www.lingerie4u.pl/

I'm assuming that the malcreants made a tool for javascript injection. Looks exactly alike. :-\
« Last Edit: April 22, 2012, 03:47:17 PM by !Donovan »
Familiarize Yourself! | Educate Yourself! | Beautify Yourself! | Scan Yourself!
"People who say it cannot be done should not interrupt those who are doing it."

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37585
  • Not a avast user
Re: Zscaler does not flag, avast Webshield blocks as JS:Iframe-FH [Trj]
« Reply #7 on: April 22, 2012, 03:53:03 PM »
Quote
Your CSS files are NOT malicious. Zulu is warning of infection because they have links to your site, which is malicious.
yepp......just checked those at VT and they come up clean

chochor

  • Guest
Re: Zscaler does not flag, avast Webshield blocks as JS:Iframe-FH [Trj]
« Reply #8 on: April 22, 2012, 04:54:24 PM »
Oki, thanks,

!Donovan are you able to fix this problem on my site, write on my prv bartek@lingerie4u.pl