Again the avast Web Shield blocks a Trojan as JS:Decode-BHU[Trj].

See: http://aw-snap.info/file-viewer/?tgt=http%3A%2F%2Floyalaw.com&ref_sel=Google&ua_sel=ff
Could not open page in jsunpack for avast Web Shield immediately jumped on the code and blocked it as JS:Decode-BHU[Trj].
#32f02e# in line 62 looks like a color number but the extra # gives it away as malcode - site was hacked and the malcode starts from the following line
and Firekeeper alerts on that code like === Triggered rule ===
alert(url_content:“%3C”; url_content:“%22”; url_content:“%3E”; msg:“Suspicious looking GET request containing %3C, %3E, and %22. Suspiciously HTML-like.”; reference:url,http://ha.ckers.org/xss.html; reference:url,http://en.wikipedia.org/wiki/Cross-site_scripting;)

=== Request URL ===
http://www.google.com/search?client=flock&channel={flock:context}&q=if(empty(%24caye))+{+%24caye+%3D+"+<+sc+ript+type+%3D\"text%2Fjavasc+ript\"+language%3D\"javasc+ript\"+>+fnwdma%3D\"s\"%2B\"p\"%2B\"li\"%2B\"+t\"%3Bhfsx%3Dwi+ndow%3Bhpi%3D\"dy\"%3B&ie=utf-8&oe=utf-8&aq=t

Why the site hack, outdated WP version: http://sitecheck.sucuri.net/results/loyalaw.com (Sucuri misses the trojan)

pol

This in the code (snippet) almost immediately gives away its insecurity and that it could be potentially malicious and actually it is malicious here

 ==^^O31))^^nniuf+=st​ring[\"from^^CharCode\"](ev​al(vq^vu^wg+h^fs^x[1*ur​nsnb]) +

^-broken by me, Pol
eval() may be abused in the pre-onload phase of the webpage,
therefore it is so vital that eval-generated js malcode is immediately blocked by the avast! Web Shield.

polonus

seems there is a blackhole exploit there… just a minute

here it is
https://www.virustotal.com/nb/file/903d3bb82a9e4e54cbcf1ee0535b4f2d4ca509bc14655a8ac915d0d4d8b377ce/analysis/1379771909/

urlQuery http://urlquery.net/report.php?id=5737058

polonus, i use to wonder why you posted stuff like that… now i understand…

do you know if the avast program will flag malicious “JAR” files (blachole exploit kits) in realtime?

i am thinking that most av-programs fail to flag malicious “JAR” files in realtime and i have my reasons for thinking that…

Hi redwolfe_98,

Yep, think so, if they can decode the URL that fetches the blackhole exploit kit in real time, see this article by Erik Heuser:
https://blogs.rsa.com/beyond-the-zero-day-reverse-engineering-malicious-class-files/
But IDS will also produce the anomaly pattern here as “ssp_ssl: Invalid Client HELLO after Server HELLO Detected” (on the network layer - OSI layer 3
and transport layer - OSI layer 4)! -

Embedding script tags in URLs/HTTP requests will incite unaware users to click on them to enable malicious javascript to be executed on the client (victim’s machine). This becomes possible when input/output validation of the server to reject active code /js or code characters is not performed or has failed.
In thsi case the HTML-tags/script inclusion was an applet (but it could have been an object, iframe, frame, xml, blink, obfuscated link etc. etc., possibilities just as much as user manipulation was allowed to take place! Cause of all this nastiness and the aftermath of it is through"insecure practices!".

Av should have static and dynamic detection rules and incorporate various detection methods for various OSI layers,
else it won’t even “see” it happen,

polonus

The avast! shields are really good. This was removed from the Interwebs, but is still available through the google cache: htxp://webcache.googleusercontent.com/search?client=flock&channel=%7Bflock%3Acontext%7D&q=cache:Q3WUgdwU48IJ:http://necro.blaze-network.com/pages/default.php%3Fact%3Df%26f%3Dbackground.jpg%26ft%3Dinfo%26base64%3D3%26d%3DC%253A%255Cinetpub%255CWEBSITE%255Cimages%255C%2BJS:Decode-BHU[Trj].&oe=utf-8&hl=en&ct=clnk I broke the link as you would not like to go to this backdoor shellscript publication.
Good thing is avast! Web Shield blocks this background.jpg as HTML:Backdoor-B[Trj] in the browser executable process.

polonus