See this DrWeb url check:
Checking: htxp://ad-crazy.com/plugins/loader.js
Engine version: 7.0.2.4281
Total virus-finding records: 3063470
File size: 15.52 KB
File MD5: ad744a3475a0ba8fe3c78e0a22932c7b

htxp://ad-crazy.com/plugins/loader.js probably infected with SCRIPT.Virus
see: http://sitecheck.sucuri.net/results/ad-crazy.com/plugins/loader.js
Malware: http://labs.sucuri.net/db/malware/malware-entry-mwjsiframe213
Blacklisting http://www.siteadvisor.com/sites/ad-crazy.com
Cloudflare phishing site with Iframe malware? avast Webshield detects this as JS:ScriptPE-inf[Trj],

polonus

Hi Polonus

htxp://urlvoid.com/scan/ad-crazy.com/

Warning: the domain was detected by 4 engines in the past 7 days.

http://www.scumware.org

Identifies it as this:

12-07-30 19:27:16 htxp://ad-crazy.com/plugins/loader.js AD744A3475A0BA8FE3C78E0A22932C7B 141.101.125.111 EU Virus identified Exploit.PDF

Anthony

*Currently Scanning the JS file *

https://www.virustotal.com/url/f4424ec7332f8fdf75cb57bca025280da99133e7d397f016ab9ce757d0942cc6/analysis/1344116078/

MALICIOUS SITE DETECTED!

SCUMWARE.org URL description This URL is or was distributing a malware variant of Virus identified Exploit.PDF Sophos URL description URL subjected to threat Mal/HTMLGen-A. Websense ThreatSeeker URL category Malicious Web Sites. Sophos domain information The URL host was subjected to threat Mal/HTMLGen-A. Wepawet report htxp://128.111.48.236/view.php?hash=c515cc882ad779b82b3a309534372217&t=1336417782&type=js URL after redirects htxp://ad-crazy.com/plugins/loader.js Response code 200 Response headers content-length: 15889 via: HTTP/1.1 GWA (remote cache hit) x-powered-by: PleskLin cf-cache-status: EXPIRED x-google-cache-control: remote-cache-hit vary: Accept-Encoding expires: Thu, 09 Aug 2012 21:01:44 GMT server: cloudflare-nginx last-modified: Sat, 30 Jun 2012 14:50:11 GMT connection: keep-alive etag: "18403dd-3e6f-4c3b1ae82591f" cache-control: public, max-age=432000 date: Sat, 04 Aug 2012 21:01:44 GMT content-type: text/javascript age: 1975 Response content SHA-256 e63d4690de025be60df2e39290919d0158e635bf27ab514cd21000f4e7cf86fd

Hi adotd,

I am aware of that, but why now with VT only DrWeb flags it as Possible SCRIPT.virus ?
See: http://virusscan.jotti.org/en/scanresult/2628edef6c90fe72c8e17a1430fbc8b8ff5911c8
Exploit-PDF.a is [quote] a detection for a specially crafted PDF file that exploits the Adobe Acrobat Mailto Unspecified PDF File Security Vulnerability to execute malicious code on a computer [quote] in sofar that it attempts to exploit vulnerabilities in the popular Adobe Acrobat Reader program. It is a generic detection,

so in the event that the detection occurs on a PDF file you are certain is from a trusted source, this may potentially be a False Positive

polonus

*Currently Scanning the JS file *

https://www.virustotal.com/url/f4424ec7332f8fdf75cb57bca025280da99133e7d397f016ab9ce757d0942cc6/analysis/1344116078/

so i did
https://www.virustotal.com/file/a6b28f77a4c6aab1d544892a3ca5785b501c2285e298799298b44eff10b7e70e/analysis/1344116485/

First seen by VirusTotal
2012-08-04 21:35:17 UTC ( 8 minutter ago )

Hi Pondus,

Thanks for that scan result and the VT result is exactly the same as the URL check result from DrWeb’s online URL checker - (possible) SCRIPT virus.
So it could be another malcode variant of the earlier script versions that were spawn from there, and scumware listed.
Obfuscated Base64 code has 15895 characters, with no line breaks, and you can analyze it with the usual viewers we use,
and http://labs.sucuri.net/db/malware/malware-entry-mwjsiframe213 explains what this malcode is trying to perform,

polonus

Base64 is defined as an object which later is given functions to stimulate PHP’s Base64 function. (e.g: Base64.encode)

It checks if the referrer url contained a string using location[“href”]“indexOf” == -1 where value represents the string to be checked
→ http://stackoverflow.com/questions/4597050/how-to-check-if-the-url-contains-a-given-string-javascript-jquery

Then returns certain javascript files based on the return. Cookies are also present.

Deobfuscated results: http://pastebin.com/GWp6qNBX
VirusTotal results of deobfuscated content: https://www.virustotal.com/file/ac7e09cea9e254a73baacc58423abdf38635b81872c5d7c7126f730ea32761f0/analysis/1344118728/

Not Malicious,
~!Donovan

Hi !Donovan,

So you have analyzed the inner workings of this and have found it to be benign, then it is a DrWeb FP?
Isn’t it the same as what is given at the Sucuri Scan and that their analyzers give as malicious.
This is a redirect from sites like contains content from shersby.net, a site known to distribute malware,
injected into WP or other CMSs. See: http://safebrowsing.clients.google.com/safebrowsing/diagnostic?site=http%3A%2F%2Fshersby.net%2FsTDS%2Fgo.php%3Fsid%3D1&client=googlechrome&hl=en-GB

polonus

Yes

Sucuri most likely detects due to same-packer detection:

Sucuri Example:

var _0xdb04= 
["x3Cx69x66x72x61x6Dx65x20x77x69x64x74..
x68x3Dx22x30x22x20x68x65x69x67x68x74x3D..
x22x30x22x20x73x74x79x6Cx65x3Dx22x64x69..
x73x70x6Cx61x79x3Ax20x6Ex6Fx6Ex65x3Bx22..
x20x66x72x61x6..

Compared to loader.js:

Base64={};
Base64["\x50\x41\x44\x43\x48\x41\x52"]="\x3D";
Base64["\x41\x4C\x50\x48\x41"]="\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4A\...";
Base64["\x67\x65\x74\x62\x79\x74\x65\x36\x34"]=function(_0xf71cx0,_0xf71cx1){
var _0xf71cx2=Base64["\x41\x4C\x50\x48\x41"]["\x69\x6E\x64\x65\x78\x4F\x66"](...

They are noticeably different, and the pattern doesn’t match those of real malcode we’ve been studying.

~!Donovan

Obfuscation algorithm is possible with JavaScript Obfuscator v3.1 & HTML Obfuscator. I have copies myself.

Hi !Donovan,

So that is confirming: ad-crazy.com/plugins/loader.js benign
[nothing detected] ad-crazy.com/plugins/loader.js
status: (referer=http:/twitter.com/trends/)saved 15889 bytes 2407a1fcd42a3db104ec9794db0922884769d488
info: [decodingLevel=0] found JavaScript
file: 2407a1fcd42a3db104ec9794db0922884769d488: 15889 bytes
But it still leaves me with this web rep issues for the main address:
http://www.mywot.com/en/scorecard/ad-crazy.com?utm_source=addon&utm_content=popup-donuts
so I would not exclude the use of it in spamming,

polonus

Is this a real virus?

Detection added. It does have a crypted code which redirects to an unwanted webpage.

Thanks,

GD

loader.js - Crypted.BK

All the links I see are first-party and not cross-site scripting. Do they define advertising as unwanted? What has this site done is the past?

Hi !Donovan,

Just what I could establish in general, my web-analyzing friend,
Later maybe more in-depth details, because as for now it is a heuristic detection.
But we are about to nail this one down, because we have scented it out,
and we should now be a little tenacious to get to the final conclusive results.
Kudo’s to the DrWeb analyst team for this initial find.
Your left eye should be on DrWeb results, and your right eye on avast’s ;D

The site is a known PHISHING site.
The AS is known as Name: CLOUDFLARENET - CloudFlare, Inc.
IPs allocated: 45312
Blacklisted URLs: 78

Hosts…
…malicious URLs? Yes
…badware? Yes
…botnet C&C servers? No
…exploit servers? Yes
…Zeus botnet servers? No
…Current Events? Yes
…phishing servers? Yes

This was detected there after a zulu Zscaler re-scan: http://zulu.zscaler.com/submission/show/3892564876e896417b78839bee7f34b7-1344178604

Malware is known as maljava.gen see: https://www.virustotal.com/file/e63d4690de025be60df2e39290919d0158e635bf27ab514cd21000f4e7cf86fd/analysis/

Users should keep their java updated and patched, because java malware infections have seen to be very succesful recently, exploiting CVE-2012-1723 initially, and malcreants are more an more exploiting CVE-2012-1723 to try and infest systems.
Moreover I haven’t found IDS alerts as yet, but it could be there is Blackhole exploit activity from there.
That is not to be excluded, and then the maljava variety exploit,

pol

DrWeb lab:

Угроза: JS.Adcrazy.1

Original file name: loader.js
File size: 15889
MD5: ad744a3475a0ba8fe3c78e0a22932c7b

http://online1.drweb.com/cache/?i=8d8e5291796c0534419139bd8ae324db

Hi Dim@rik,

Nice to have that added to both avast’s and DrWeb’s detection.
Keep up the good work,

polonus