JS:Cruzer - C [Trojan] Found.

Hi all, i entered a local company’s site and avast! cautioned me of the trojan’s presence.
Repeated attempts at entering their website always trigger the avast alert and i have read that there are other people reporting this trojan as well.

Any guidance on what i should do next would be awesome.

This company wanted to interview me for some IT support vacancy they had.

Maybe these threads can hep u^^

http://forum.avast.com/index.php?topic=45819.0
http://forum.avast.com/index.php?topic=45730.0

Good luck and God bless^^

-AnimeLover^^

After the HTML ends there is some wierd javascript coding. This may be the source of your problem.

I was right. When I placed the code in notepad and saved it as virus.txt, avast alerted of JS:Cruzer C.

-= There was a:

Infection: JavaScript Obfuscation (type 501)

Detail: Exploit: Javascript Obfuscation [This web site has JavaScript that has been used to obfuscate known exploit techniques]

Risk Category: Exploit

Description: XPL’s Intelligence Network has detected an exploit. An exploit is a piece of malware code that takes advantage of a vulnerability in a
software application, usually the operating system or a web browser to infect a computer. Exploits usually target a computer by
means of a drive-by download – the user has no idea that a download has even taken place. XPL recommends not visiting this web
site regardless if your computer has been patched for the vulnerability.

-= The website administrator must be warned about this to fix the infection…

Thanks guys much appreciate the immense help i got within a very short time frame.

so suffice to say, its authentically malicious and is NOT a misdiagnosis right?

that and can i also tell the server administrator who brushes it off as a mere java script problem that its a significant breach of his security?

Perhaps they have already moved on this. I have the source code and it looks as if its tidy now.

Total zeroiframes found: 0
No zeroiframes detected!
Check took 2.71 seconds

(Level: 0) Url checked:
hxxp://www.vellas.com.sg
Zeroiframes detected on this site: 0
No ad codes identified

Well its still sending out an alert. The code looks okay to me.

Edit - I feel confident enough to post the source code. But I wont because I am not an expert. I went to Jutakys. There might be something else to it.

Hold on, I may have checked it through an out of date page. I run some more checks.

I have sent what I can to avast and to virustotal (whose uploader appears to be overloaded). Bout all I can do for now.

The alert is still there and the script doesn’t look good to me.

If you scroll way right of the closing HTML tag you will see the obfuscated javascript script tag (all on that single line) and this is what avast is alerting on. See image as that is the code, I have broken it down to make it easier to see.

See VT results on the code only and not the full html page, http://www.virustotal.com/analisis/2c30c4b4158bc1427bae12c373d6d7f5371fd245025e2bf9c7ae9bdb99f41617-1244040720. Only three detections avast (JS:Cruzer), gdata (which uses avast as one of its two scanners) and sophos (Mal/ObfJS-BW).

Whilst this is a low hit count, there are very few scanners even looking at this and when the javascript is also obfuscated that makes it even more uncommon they will find it.

However, based on:

  1. the location after the closing HTML tag, a standards no, no, which an IT services company would be complying with standards.
  2. the fact that they have positioned this way to the right so it is effectively out of sight on a normal page view.
  3. the fact that they have chosen to place it all on a single line rather than the conventional scripts layout to make it easy to interpret.
    4 and finally the actual obfuscation to hide what the intent is.

Collectively these make me suspicious and with the detections, that just confirms my suspicions.

I see it now DavidR.
I never went that far right on the page. I’ll know for next time to scroll the whole page.

And thanks for the tips. much appreciated.

You’re welcome.

I just look at the scroll indicator and if it is a very small bar, there is much more to the right, I just grab that bar and drag it right to see what is out there.

They also play the same trick to but multiple blank lines after the closing html tag so it isn’t in view when looking at what is apparently the end of the page source

Oh my. i wonder if anyone ever nips these malicious codes in the bud, how do i ever find the source thats spamming it? or is that a wold goose chase and focus on self protection first and avoid going to that site ever.

what can/do i do next?

Commonly these code injection hacks are a result of exploitation of vulnerable content management software, php, sql, wordpress, etc.

The only thing you can do is report it to the company that the site appears to have been hacked, it may help you later in your interview.

See this example of a HOSTs response to a hacked site.

We have patched up the server and we found a weakness in PHP which was helping aid the compromise of some domains. We updated it, and changed some default settings to help prevent these coding compromises. The weaknesses were not server wide but rather just made it easier on a hacker to compromise individual end user accounts.

I suggest the following clean up procedure for both your accounts:

  1. check all index pages for any signs of java script injected into their coding. On windows servers check any “default.aspx” or
    “default.cfm” pages as those are popular targets too.

  2. Remove any “rouge” files or php scripts uploaded by the hackers into your account. Such scripts allowed them to make account wide
    changes, spam through your account, or spread their own .htaccess files through all of your domains in that end user.

  3. Check all .htaccess files, as hackers like to load re-directs into them.

  4. Change all passwords for that end user account. The cp password, the ftp password, and any ftp sub accounts. Make sure to use a
    “strong” password which includes upper case, lower case, numbers and NO COMPLETE WORDS OR NAMES!

This coupled with our server side changes should prevent any resurfacing of the hackers efforts. In some cases you may still have coding which allows for injection. All user input fields hidden or not should be hard coded, filtered, and sanitized before being handed off to php or a database which will prevent coding characters from being submitted and run through your software.

Also see, Tips for Cleaning & Securing Your Website, http://www.stopbadware.org/home/security.

Thanks david and the rest of the global 24 hour shift crew.
You guys rock and deserve halos in spyware free heaven.

Can i help by being a local distributor of the software?

I already have an awesome amount of faith in avast!

You’re welcome.

I’m only an avast user like yourself, but you can check the avast site there are distributors around the world.

It was end of a long day for me . :slight_smile: But will be alert to that from now on. A few of the posts above were quick to pick up the malcreant’s ruse so all cred to them.

I did manage to send off what my PC reported though. So something. And my routine for test of suspect sites is much improved. Thanking you.