Exploit/JS Agent not detected...but blocked by Webshield...

See: VT scan: http://www.virustotal.com/url-scan/report.html?id=78a458ef21579cc12b79c5fccd04128a-1304094885

VT File results: http://www.virustotal.com/file-scan/report.html?id=24b3a18e6b327850dfb169b599a4714a4ac02c9bd1417a1b879fc427b6c95c01-1304102478

Site detected by Bitdefender Traffic Light and blocked…
file hash d02b10ee373a084803dc66320fb63f7c
Emisoft detects as Exploit.JS.Agent!IK. see:
http://vscan.urlvoid.com/analysis/d02b10ee373a084803dc66320fb63f7c/ZWNhcmRz/

found malcious here: http://wepawet.iseclab.org/view.php?hash=78a458ef21579cc12b79c5fccd04128a&t=1304079171&type=js

See this domain report: http://wepawet.iseclab.org/domain.php?hash=1a25cda0e1e6b78c6d8087487d8421b3&type=js

reported via virus AT avast dot com

polonus

Hi forum friends,

Well I have to say that as the downloader tries to contact to steoo dot com the avast Webshield will neatly block the malware URL as JS:Downloader-AM [Trj], so we are protected by the Webshield against this exploit that might even be a threat on Vista SP1 (F-Secure flags as Trojan:W32/Agent.IHN.),

polonus

avast doesn’t pick up on the script as it appears on the original webpage, but it does alert on malzilla when de-obfuscating it.

Hi spg SCOTT,

Thanks for your giving your observations while testing, very rewarding and helpful you checked that. As I got the webshield alert when I trying to open up a page with the original exploit code of the exploit used, that could be interpreted similar to what you experienced after de-obfuscation. So the morphed version could go under the radar, report that to virus AT avast dot com so we can have protection for the obfuscated variant as well.

polonus

Sent, via email and chest :wink:

I am guessing a little here, but since avast can catch the plain form, it may not be such a big thing, since once the connection is attempted I would assume that is where it catches it. It would be nice to get it earlier though :slight_smile: