Yes, this is a common reaction to this - the ‘I know better than you because I run a website’ attitude
Or maybe he really has no clue. Anyway, another forum member with avast has the same issue and posted a link to this thread, so maybe he’ll get any wiser from this discussion here.
We can only hope…
I have to wonder why they are obfuscating javascript (what do they have to hide), which is essentially a plain language scripting tool and then stick it outside the html tags just adds to that suspicion.
@ .: L’ arc :.
One of the problems in this is when sending it to VT, there are very few of those scanners that are even looking for this type of thing.
Fully agree with David. The reality is that avast is behind any other competitor in this meaning.
Hi Tech, DavidR and Filter,
I had WEPAWET analyze the site: wXw.forumticker.nl
Results: http://wepawet.iseclab.org/view.php?hash=81df9d5d82e0346347bd3bdb4eed0ebd&t=1248116104&type=js
pol
Thanks Polonus, but it’s too technical for me… I wish a clear information: infected or not. I think average user will think the same.
Don’t you mean avast is ‘ahead’ of other competitors as they aren’t even checking.
Hi DavidR and Tech,
Well you can read it yourself as the analysis says “suspicious” and sites with suspicious code should be blocked, if they actually redirected to a silent malware download host or not, the websites in question should be cleansed from this “Unfug” to use an appropriate German word. That is my two cents on the matter of suspicious code found in webpages…
In most cases the code is malcode or could be abused and this can be established from analyzing at www.unmaskparasites.com via their security report or the malicious iFrames checked against the Bad Stuff Detektor or the site checked against Wepawet-alpha url scanner or blacklistdoctor.com
Use a bookmarklet like this one to show hidden js on a page:
javascript:(function(){var%20i,f,j,e,div,label,ne;%20for(i=0;f=document.forms[i];++i)for(j=0;e=f[j];++j)if(e.type=="hidden"){%20D=document;%20function%20C(t){return%20D.createElement(t);}%20function%20A(a,b){a.appendChild(b);}%20div=C("div");%20label=C("label");%20A(div,%20label);%20A(label,%20D.createTextNode(e.name%20+%20":%20"));%20e.parentNode.insertBefore(div,%20e);%20e.parentNode.removeChild(e);%20ne=C("input");/*for%20ie*/%20ne.type="text";%20ne.value=e.value;%20A(label,%20ne);%20label.style.MozOpacity=".6";%20--j;/*for%20moz*/}})()
“Good for you analyzers to keep an eye on the sparrow!”
Yes good forum friends, we are in the top league in this respect, avast is leader here, so polonus is also out in the trenches and I put all we have found over recent months in long threads at InformAction Forums where each an every malcode script is discussed in length with the protection of NoScript in mind, re: http://forums.informaction.com/viewtopic.php?f=8&t=1028
(my nick is luntrus there). Keep on the look-out, folks, and keep your shields up, avast knights,
polonus
Could you or anyone else maybe explain that report?
The only things I can find that seem off is the url redirects at the bottom: hXtp://exist.butterflyeffect.gs/Trop and hXtp://ipot.applepie.gd/privatezone/?d6fb367bf8c5480228703541f761eb18
Both those sites are blocked by Google and thus can be seen as malicious?
The problem with obfuscated javascript it isn’t easy to see what is being done much less if it is redirecting and to where as the image example of the code on that page I posted earlier.
I have no tools to be able to do any analysis (I like the others trying to help are just avast users like yourself), but given the link polonous gave (in the quoted text) you can do as you have and look-up the domains and as you have found they are considered malicious. So there is a likelihood that avast too finds these malicious and effectively alerts to block access.
Hi Filter,
Yep, good observation, this is what google has to say about exist dot butterflyeffect dot gs and that was "De vorige keer dat verdachte inhoud op deze site werd aangetroffen (last time suspicious content was found), was op (was on) 2009-07-20. Malicious software includes 96 scripting exploit(s). This site was hosted on 1 network(s) including AS31103 (Keyweb AG).
The other one: ipot dot applepie dot gd forward slash privatezone Last time suspicious content was found on this site was on 2009-07-20
De vorige keer dat verdachte inhoud op deze site werd aangetroffen, was op 2009-07-20.
Malicious software includes 754 scripting exploit(s).
This site was hosted on 2 network(s) including AS41062 (PRO100), AS22576 (LAYER3).
Deze site heeft in de afgelopen 90 dagen schadelijke software gehost. Deze software heeft 361 domein(en) geïnfecteerd, waaronder xvediox.com/, flashost.com.br/, coralhillsresort.com/.
This site has been hosting malcode during the last 90 day period. This software has been infected 361 domains, e.g. : xvediox.com/, flashost.com.br/, coralhillsresort.com/.
Just delving a little into this and you see what we come up with. Easy answers won’t do, confront them with this - what does the obfuscated code do on that web page?
polonus
Thanks, both of you. This should be more than enough evidence.
Have to say that I came to understand alot more about JS:Bulered ;D
You’re welcome, good luck.
Ha Filter,
Het genoegen was wederzijds, wij leren hier ook weer van. Je begrijpt dat dit recentelijk steeds belangrijker aan het worden is omdat CyberCrook & Co het nu via deze listigheidjes voorzien heeft op de betrouwbare kleinere websites, die hier niet zo op verdacht zijn. Avast heeft hier speerpunt technologie en de avast schilden werken goed. Ook is het altijd verstandig een browser met script blocker te gebruiken, ik zweer bij Firefox met NoScript. NoScript is nog geen enkele keer verslagen als je de malcode maar niet whitelist en daarom is het besmetten van normaliter betrouwbare veilige sites zo’n gevaarlijke zaak. Welkom op onze forums, blijf hier komen met je vragen en blijf ons inspireren. Ik wens je veiligheid online en blijf malware vrij,
polonus aka Damiaan
Bedankt. Ben al heel lang blij met Avast 
Ik blijf hier zeker rondhangen!
hello guys,
i am having the same issue, my site is getting hacked again and again, i always remove the same malicious code from my phpbb3, coppermine, wordpress and the static web pages one by one but its there again after a day or two, contacted my webhosting company but they dont have any solution, my avast antivirus used to tell me that i have some JS:Bulered virus in my pages but i used to ignore till i started getting this on my website hXXp://www.intcube.com though my cpanel was never hacked and i am still able to use it, saw a few posts in the avast forums and some others aswell but no one knows about the exact nature of this malware
http://www.hackthissite.org/forums/viewtopic.php?f=29&t=3849! http://forum.avast.com/index.php?topic=46176.0 http://forum.avast.com/index.php?topic=46919.0
http://img200.imageshack.us/img200/4717/89926055.jpg
after going through google advisory pages, i changed my password after cleaning pages from various computers but whenever i would logon my pages would again be infected with the code mentioned above, google says
http://img200.imageshack.us/img200/1382/80631694.jpg
i checked lemonia.ws google advisory pages and it clearly shows that its the source of virus,
http://img4.imageshack.us/img4/3883/65765763.jpg
in june there was nothing regarding js:bulered malware in google search, but now we’re having alot of forums where people are discussing this, think its spreading more and more and may be some one would help us too, can any one suggest what should i do?
Please, do not post twice the same. Just double the effort of helping.
Follow http://forum.avast.com/index.php?topic=46176.0;topicseen