Hello, I received a pop-up box from Avast telling me that it had intercepted a trojan
before any harm had been done. It occurred vising the following site while using Firefox 3:
hxxp://torrent-finder.com/

Here’s the info from the log:
1/25/2009 4:14:54 PM SYSTEM 1428 Sign of “JS:Packed-T [trj]” has been found in “hxxp://van.eo1qiowr1ew.com/zyowoiurqwo/pdf.php?id=3673” file.
1/25/2009 4:14:54 PM SYSTEM 1428 Sign of “JS:Packed-T [trj]” has been found in “hxxp://van.eo1qiowr1ew.com/zyowoiurqwo/pdf.php?id=3673&vis=1” file.
1/25/2009 4:15:14 PM SYSTEM 1428 Sign of “JS:Packed-T [trj]” has been found in “hxxp://van.eo1qiowr1ew.com/zyowoiurqwo/pdf.php?id=3673&vis=1” file.

My question is, where is the vulnerability? Is Firefox to blame? OR are JS-type exploits impossible to stop, without turning off JS completely?

Even though Dr. Web says it’s clean, the site’s full of javascripts and IFrames. I have to agree with avast’s detection on this.

Please disable the links by replacing http with hxxp.

Firefox isn’t to blame just that there appears to be malware at the reported site (3 times). So I can only assume that torrent-finder.com has links to this site.

To be honest I’m not to surprised that avast will find malware at torrent sites as they are not trusted sites, just someone hosting torrent uploads so you really never know what you are going to find at the other end.

Interestingly the DrWeb link scanner doesn’t like the site that avast is alerting on either…
@ Jtaylor83, looks like you only checked the torrent-finder site and not what avast detected.

So yes there is a vulnerability, but avast has saved your bacon.

I’ve disabled the links with hxxp.
Look, you’re right avast saved my bacon this time. You may look down upon torrent sites in general,
but you know as well as I do that this kind of exploit does make it into absolutely
legitimate sites, albeit usually through being hacked rather than anything malicious on the part of the site.

You might say that my chances of something happening increased because the site is related to p2p,
but surely it depends. If I picked up something similar from a hacked legitimate site - What would happen to my
false sense of security then?

You say Firefox isn’t to blame. Just because malware exists at the remote site, by what mechanism on my PC
does it get to be downloaded and installed? Shouldn’t FF stop this?

Google also has some issues with this site:
http://www.google.com/safebrowsing/diagnostic?site=torrent-finder.com

Yes this does make it onto ‘hacked’ legitimate sites, but you really can’t compare with the risk of what you might download from an unknown torrent location.

If you were using any browser, IE, Opera, etc. it wouldn’t stop this either.

The problem isn’t at the torrent-finder site but at the other site that it has found for what you are searching for, avast doesn’t alert on the torrent-finder site, that was the first thing I checked to see if there wasn’t some sort of redirect, injected iframe tag or script tag, etc.

If you want some interesting stats then check out the torrent source, http://safeweb.norton.com/report/show?name=eo1qiowr1ew.com and this is what I mean by you have no idea what is at the torrent source.

Hi DavidR,
thanks for responding.
In my case, the exploit was caught as soon as I entered torrent-finder.com home page.
I had yet to enter any search arguments or hit any key.

This problem has nothing at all to do with any torrent content, nor selecting a link and navigating on from Torrent-finder.

There must be something that happens automatically, when JS is turned on in the browser.
How else could you account for it?

Dave
PS thanks for the safeweb info.

OK, I use firefox with NoScript add-on (I suggest you get that if you haven’t already) so that would stop any scripts from running that may try to run in the background, but I’m loath to allow scripts on the torrent-finder site just to check it out.

OK I relented and trying to view the page source produces some weird results the script is all on a single line and it looks like it has a javascript file it runs to populate the page. Though with everything on a single line and no way to check out the .js file it is difficult to know what is going on behind the scenes.

However, enabling javascript temporarily for torrent-finder didn’t cause avast to alert, even allowing sharethis.com and still no alert, so I really don’t know what is going on at this site and there is nothing else that I can do to try and find out.

OK. Thanks for trying.
What’s the difference between your Noscript add-on and simply turning off JS in the options ?

Hi :

IF you keep playing with fire you eventually will get burnt .

Well turning something off (javascript) is something that works across the board it is either on or off for everything. NoScript is all scripts (more than simply javascript) are disabled and sites that you trust can be allowed/white listed for other sites which require it you can temporarily allow it for that visit.

Thanks DavidR.

Spiritsongs - I did get burned already, back in December:
http://forum.avast.com/index.php?topic=40658.0

However, in that case, I did not find out where it came from, although I suspect a script.
I had been sharing the PC with my 12 year old son,
so it could have come from anywhere. In this case avast only notified me after the infection was already in.
To me, the whole idea of a script having the power or authority to download
a file and run it without either the browser or the user being involved doesn’t make any sense at all.

You’re welcome.

That is why they are often called exploits, where they exploit a weakness in your system, frequently out of date software with a vulnerability that can be exploited.

Unfortunately life isn’t quite so simple as authority as clicking on a button/link could have more than the desired effect, downloads can come with other unwanted gifts. Some of these could be masked, some could be exploiting your firewall (if it doesn’t have outbound protection it doesn’t even have to exploit it).

So a request from your system (you/undetected/hidden malware, etc.) would automatically be let in by your firewall as it originated from your system. Then you are relying on your other security software detecting this and to get 100% detection rates form one application is as rare as rocking horse droppings.

Well you hit on something I never really thought about too much,
I’m not running a software firewall at all - instead, relying on the SPI of the hardware
router.
I guess this may have helped with my last infection (actually, the only one I ever had
since 1994) in that it may have stopped resident malware from fetching more of its cousins
from the internet. But even that is not ensured, because the malware may be be hooked to a
legitimate service.

The problem being unless the hardware router specifically states it monitors outbound traffic then it doesn’t. Given what I said about allowing inbound traffic where the request originated on the system I doubt that the SPI would be very effective.

That is where a software firewall comes into its own, anti-leak protection (may be called different things from firewall to firewall), where a legit program can’t really be hooked as there is a parent child relationship, e.g. what is the program responsible for the connection, and if the legit program is modified that too would be detected.