Is there a process I need to go through to verify this and submit for verification? i.e. how can I verify that this is indeed a trojan? or should I submit via a different method?
When I open the page I get alerts… it si downloaded to the temporary internet files…
Here are the log-entries:
13.06.2009 21:21:56 1244920916 SYSTEM 1180 Sign of "JS:Redirector-B [Trj]" has been found in "C:\Users\*myname*\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\YVX71QWF\EmphasizeText[1].css" file.
13.06.2009 21:21:56 1244920916 SYSTEM 1180 Sign of “JS:Redirector-B [Trj]” has been found in “C:\Users*myname*\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\YVX71QWF\MenuBar[1].css” file.
13.06.2009 21:21:56 1244920916 SYSTEM 1180 Sign of “JS:Redirector-B [Trj]” has been found in “C:\Users*myname*\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\YVX71QWF\MainContent[1].css” file.
possibly that helps…
I have the files in my chest now if someone needs them.
Looks like firefox doesn’t raise an alert, why that might be I don’t know, could this have something to do with the recent firefox update to 3.0.11 ???
You are tricked here because part of the cross-site script was wrapped "out of site/“sight”. That is why it is so difficult to detect, my friend. Read the online blogs on this devious malcode.
Not gonna argue here, but the final result is the same, form of terminology, redirect is not to the same domain. I googled the code sequence and I found the verdict that rolled out there, not gonna argue with Google nor with Snort rules there, be it whatever it should be termed.
For the strict it is malcode or exploitable, it should be cleansed.
I only have your edited script for reference, which is why I post images so there is no possibility of code being mistaken or having to be heavily edited so as not to see its intent.
The real problem as onlysomeone posted are the redirects in the .css files. I uploaded one of them (EmphasizeText.css) to VT and there were lots of hits.
Examples are not really going to help the OP or us to see what is on the site.
This image is what I posted in our other forum about this and it doesn’t show anything outside that is going to get wrapped or joined or appended, it is a relative link to the favicon.ico, that’s all.
The others to the .css files are what cause the alert by the standard shield as by default the web shield doesn’t scan text/css files. Now if we are starting to see infected .css files then perhaps we should be scanning them with the web shield. I believe from the other forum we are going to check if .css should be added to scanning by default.
So I guess we could add .css to the list for scanning inside the web shield or rather remove the exclusion.
Update, I have deleted the text/css exclusion and restarted the web shield and visited the site again and got three alerts one for each of the infected .css files. For me that is preferable to the file being downloaded into the browser cache and being detected by the standard shield.
So to clarify, is this site infected, false positive, or a matter of loose coding? Should I contact the author of the site or is there a way for me to view the site correctly (given its not infected)?