Detected three hours ago - Gen:Variant.Graftor.127341 (B)

polonus · 2015-05-17T14:51:27.000Z

window._bd_share_config={"common":{"bdSnsKey":{},"bdText":"","bdMini":"2","bdMiniList":false,"bdPic":"","bdStyle":"0","bdSize":"32"},"share":{}};with(document)0[(getElementsByTagName('head')[0]||body).appendChild(createElement('script')).src='htxp://bdimg.share.baidu.com/static/api/js/share.js?v=89860593.js?cdnversion='+~(-new Date()/36e5)];

See: https://www.virustotal.com/nl/url/447a8d14dd1ce275dde1f1af6f67acc397720e3ef641d36c401477f1c813e4d4/analysis/1431874102/
No vulnerable libraries found - is this a FP?
Might have been taken down I get htxp://www.baidu.com/search/error.html
Here we see: http://labs.sucuri.net/db/malware/malware-entry-mwanomalysp8
Compare:

<script>window._bd_share_config={"common":{"bdSnsKey":{},"bdText":"","bdMini":"2","bdMiniList":false,"bdPic":"","bdStyle":"0","bdSize":"16"},"slide":{"type":"slide","bdImg":"7","bdPos":"right","bdTop":"146.5"}};with(document)0[(getElementsByTagName('head')[0]||body).appendChild(createElement('script')).src='htxp://bdimg.share.baidu.com/static/api/js/share.js?v=89860593.js?cdnversion='+~(-new Date()/36e5)];</script>

JavaScript malware-based attacks now account for a large fraction of successful mass-scale exploitation happening today.
Also read here: https://wordpress.org/support/topic/modify-twenty-fourteen-child-theme-singlephp
and see: https://github.com/nihgwu/iZhihu/blob/master/views/story.ejs
Part of this javascript code also found in a Cookie Cheat - body).appendChild(createElement(‘script’)).src =
The bookmarklet has been taken off.
Nameserver error on baidu dot com: http://www.dnsinspect.com/baidu.com/1431876457
FAIL: While quering domain’s records, some of your name servers didn’t responded. Name servers which didn’t responded:
udp4:61.135.165.235 → htxp://mx.n.shifen.com./ → http://mx.n.shifen.com./favicon.ico with a error 403
and WARNING: Found CNAMEs in MX records, invalid MX records: for mx.n.shifen.com: http://toolbar.netcraft.com/site_report?url=http://mx.n.shifen.com.

polonus

system · 2015-05-17T15:42:28.000Z

I found this at “4399 xiao you xi” as well 9669.com (a game market for android)
see: http://killmalware.com/a.4399.cn/
(here you can see a lot of

ã5.15ä¸å¨æ¸¸æç²¾éã4399ææºæ¸¸æä¸ºä½ æ¨èæ¯å¨ææ°æå¥½ç©æç²¾å½©çä¸å¨ç²¾éææ¸¸ï¼...

, which I belive is the discription of the ad content. Also,

“bdPic”:“htxp://f1.img4399.com/ma~29_20150515145436_5555982c7c6f4.jpeg”

This one actually load a image for the content successfully!)

and http://killmalware.com/www.9669.com/ (This is the short one you get) appearently removed NOT when I scan again, this time with 2 instead of 1
This look like it is somewhere in the banner ad

Might have been taken down I get htxp://www.baidu.com/search/error.html

You always have to consider that in normal browsing, you are not allow to access some ad directly. What I mean is that some ads content load only within a website. If you access it directly, you will usually get a "403 Forbidden" page or the error page. [b]So it have not been taken down.[/b]

http://labs.sucuri.net/db/malware/malware-entry-mwanomalysp8

I also get this usually when scanning Chinese site that look suspicious to me. What does this mean?

Edit:

This should be the script of a share content (using something) button. The file name [b]share.js[/b] proof this fact.

polonus · 2015-05-17T15:48:44.000Z

Hi rickyyeung,

Thanks for delving into this with me - as we analyze the Baidu code: http://bdimg.share.baidu.com/static/api/js/share.js?v=89860593.js this is launching POP-UP ads.

Scanned against this retire.insecurity scanner scanning for javaScript libraries with known vulnerabilities,
: http://bdimg.share.baidu.com/static/api/js/share.js?v=89860593.js
Detected libraries:
No vulnerable libraries found

Scanner output:
Scanning http://bdimg.share.baidu.com/static/api/js/share.js?v=89860593.js …
Script loaded: http://bdimg.share.baidu.com/static/api/js/share.js?v=89860593.js
Status: success
Load time: 2791ms

So the code may be secure, some users that do not like pop-up ads may want to block this.
Been with this adware before: https://forum.avast.com/index.php?topic=168170.0

polonus

polonus · 2015-05-17T16:13:15.000Z

Hi rickyyeung,

It is good to see that Avast Online Security now alerts -a.4399.cn/mobile/ajax/special-index-id-89-lastId-.html for example.
Sucuri flags: ISSUE DETECTED DEFINITION INFECTED URL
Website Malware malware-entry-mwanomalysp8 htxp://a.4399.cn
Anomaly behavior detected (possible malware). Details: http://sucuri.net/malware/malware-entry-mwanomalysp8

System Details:
Running on: nginx/1.4.1
Via proxy: 1.1
Outdated Web Server Nginx Found: nginx/1.4.1 exploitable: http://nginx.org/en/security_advisories.html

Netcraft Risk Status 1 red out of 10: http://toolbar.netcraft.com/site_report?url=a.4399.cn

Funny Quttera does not detect anything: http://quttera.com/detailed_report/a.4399.cn

polonus

polonus · 2015-05-17T21:51:53.000Z

Hi rickyyeung,

In reply to your question.

On share.js - This module is using Share.js library for sharing nodes on different social
networks. Should go here: share.js file in path sites/all/libraries/share.js/src/share.js
https://github.com/vutran/share.js
Detected libraries:
jquery - 2.1.3 : https://assets-cdn.github.com/assets/frameworks-5c08de317e4054ec200d36d3b1361ddd3cb30c05c9070a9d72862ee28ab1d7f9.js
No vulnerable libraries found

Scanner output:
Scanning https://github.com/vutran/share.js …
Script loaded: https://assets-cdn.github.com/assets/frameworks-5c08de317e4054ec200d36d3b1361ddd3cb30c05c9070a9d72862ee28ab1d7f9.js
Script loaded: https://assets-cdn.github.com/assets/github/index-b79817a43c4618022b9ecd18dadd96010ccecbb12b56fcc232664db1f897e3a8.js
Status: success
Load time: 3059ms

pol

polonus · 2015-05-18T20:46:10.000Z

Consider this malware detected 1 day ago: http://killmalware.com/a.4399.cn/
Consider for example: http://linkeddata.informatik.hu-berlin.de/uridbg/index.php?url=http%3A%2F%2Fa.4399.cn%2Fgame-id-47750.html&useragentheader=&acceptheader=
See: http://forum.wenming.cn/posts/00/13/8A/9B/Ac1f79541-1a28-440f-bc6e-58def787ab1f.dat
Detected as Adware: http://lavasoft.com/mylavasoft/malware-descriptions/blog/GenVariantFakeAlert9600956e5276
response body → var a=0; etc. could be part of JS:HideLink-A [Trj] (Event Object) → jss/trace_news.js?2015051417114
going to htxp://tracenews.5054399.com/trace.js?addd=“+a+”&uddd=“+escape(u)+”&tddd= tracing to chromium/webkit/javascript. This has Trojan/Android.Agent = Trojan.DR.Agent!/zs0u3nU1qk
fake pokemon game…where rickyyeung reported about here: https://forum.avast.com/index.php?topic=155727.0
So still around.

polonus

Announcements