Old SEO Spam malware aka TrojWare.JS.Agent.caa!

No detection on VT: https://www.virustotal.com/nl/url/3ff2caae1dfdf7debe3758132c0c6f4f6a7461e4cb95a29b392b6b00effb50d3/analysis/
Detected by Quttera’s: http://quttera.com/detailed_report/achildsheartministries.com
Detected encoded JavaScript code commonly used to hide malicious behaviour. 28 instances.
Known SEO SPAM detect, existing abuse since 2013, that is why I call it “old” (pol).
See code here: http://jsunpack.jeek.org/?report=8396b997f80d00f60aad659a55f8b173e8472a29
See description read: http://blog.sucuri.net/2012/12/website-malware-sharp-increase-in-spam-attacks-wordpress-joomla.html
and http://stayaway2.blogspot.com/search/label/TrojWare.JS.Agent.caa
Understandable because of: Web application version:
Joomla Version 2.5.24 found at: htxp://achildsheartministries.com/administrator/manifests/files/joomla.xml
Joomla version outdated: Upgrade required.
Outdated Joomla Found: Joomla under 2.5.26 or 3.3.5
Suspicious code detected

[[\x76\x69\x73\x69\x62\x69\x6C\x69\x74\x79]] 

Probably malicious as explained here: http://stackoverflow.com/questions/2896405/what-does-this-code-do
Potentially suspicious code: http://jsunpack.jeek.org/?report=28d2eef92bf05098187f549584721800368c89d5
Procedure: + has been called with a string containing hidden JavaScript code .
changing-js-code-from-clicking-image-to-clicking-link …
Web application version:
Joomla Version 2.5.24 found at: htxp://achildsheartministries.com/administrator/manifests/files/joomla.xml
Joomla version outdated: Upgrade required.
Outdated Joomla Found: Joomla under 2.5.26 or 3.3.5

polonus

Again this TrojWare.JS.Agent.caa detected on a SEO Spam website.
Read the article link here: http://stayaway2.blogspot.com/search/label/TrojWare.JS.Agent.caa
Link article author = Gray Dee.
This is a suspicious page
Result for 2015-08-09 20:15:58 UTC
Website: -http://agem.com.pl
Checked URL: -http://agem.com.pl/
Trojans detected:
Object: -http://agem.com.pl/
SHA1: 93201cb7efaffcf014da6f2bb2c3bd8ef314a3a2
Name: TrojWare.JS.Agent.caa
Re: https://www.virustotal.com/nl/url/acc48ab9cd766f520a5287b1767e672cec6d5231b84ba7157cc26e0d8cbcb4c4/analysis/

4 malicious files detected: http://quttera.com/detailed_report/agem.com.pl
Severity: Malicious
Reason: Detected encoded JavaScript code commonly used to hide malicious behaviour.
Details: Malicious obfuscated JavaScript threat

[[function dnnViewState]]

ISSUE DETECTED DEFINITION INFECTED URL
SEO Spam MW:SPAM:SEO?g12 -http://agem.com.pl
SEO Spam MW:SPAM:SEO?g12 -http://agem.com.pl/3dm/
SEO Spam MW:SPAM:SEO?g12 -http://agem.com.pl/3dm/index.php/o-nas
Known javascript malware. Details: http://sucuri.net/malware/entry/MW:SPAM:SEO?g12
if(t.length==2){z+=String.fromCharCode(parseInt(t)+25-l+a); t=‘’;}}x[l-a]=z;}document.write(‘<’+x[0]+’ ‘+x[4]+’>.‘+x[2]+’{‘+x[1]+’}</‘+x[0]+’>');}dnnViewState();

By 888 poker

This is a Joomla malware hack: Web application version:
Joomla Version 2.5.19 found at: http://agem.com.pl/administrator/manifests/files/joomla.xml *
Joomla version outdated: Upgrade required.
Outdated Joomla Found: Joomla under 2.5.28 or 3.4.3

Joomla Modules, Components and Plugins
The following modules were detected from the HTML source of the Joomla front page.
jscroll
The following components were detected from the HTML source of the Joomla front page.
search.
Directory indexing was tested on the /modules/ and /components/ directores. It does not seem to be possible to list the directory contents using this method. Note that other directories may have this web server feature enabled, so ensure you check other folders in your installation.

External links check:
Externally Linked Host Hosting Provider Country

-pokerfreaks.net CyrusOne LLC United States

-www.zw3d.com.pl home.pl webhosting farm - static allocation Poland

Malware detected here: https://urlquery.net/report.php?id=1439152975980
for GET administrator/manifests/files/joomla.xml HTTP/1.1

polonus (volunteer website security analyst and website error-hunter)

Update for this trojan now detected here: This is a suspicious page
Result for 2015-08-21 17:20:39 UTC
Website: -ttp://ancient-aliens.net
Checked URL: -ttp://ancient-aliens.net/?attachment_id=308
Trojans detected:
Object: -http://ancient-aliens.net/?attachment_id=308
SHA1: a1fa7b832feedbf704a166b64012af26ea27267d
Name: TrojWare.JS.Agent.caa
See: http://1col.ru/www.ancient-aliens.net
Not detected here: http://killmalware.com/ancient-aliens.net/?attachment_id=308
Consider: http://www.domxssscanner.com/scan?url=http%3A%2F%2Fancient-aliens.net
7 detect: https://www.virustotal.com/nl/url/263b1d5a2b4c00bd865087e2dfc5dee8eaa279d226faaa74aa83729acbbdd1ca/analysis/1440180045/
Sucuri confirms:
ISSUE DETECTED DEFINITION INFECTED URL
SEO Spam MW:SPAM:SEO?g12 [http://ancient-aliens.net
SEO Spam MW:SPAM:SEO?g12 [http://ancient-aliens.net/?page_id=2
SEO Spam MW:SPAM:SEO?g12 [http://ancient-aliens.net/?page_id=1112
SEO Spam MW:SPAM:SEO?g12 [http://ancient-aliens.net/?page_id=71
SEO Spam MW:SPAM:SEO?g12 [http://ancient-aliens.net/?page_id=203
SEO Spam MW:SPAM:SEO?g12 [http://ancient-aliens.net/?page_id=180
Known javascript malware. Details: http://sucuri.net/malware/entry/MW:SPAM:SEO?g12

<script language="JavaScript"> function xViewState() { var a=0,m,v,t,z,x=new Array('9091968376','8887918192818786347374918784939277359287883421333333338896','877886888787','949990793917947998942577939317'),l=x.length;while(++a<=l){m=x[l-a]; t=z=''; for(v=0;v<m.length;){t+=m.charAt(v++); if(t.length==2){z+=String.fromCharCode(parseInt(t)+25-l+a); t='';}}x[l-a]=z;}document.write('<'+x[0]+' '+x[4]+'>.'+x[2]+'{'+x[1]+'}</'+x[0]+'>');}xViewState(); </script></head> 

34 instances of such a file…
List of referenced blacklisted domains/hosts: 2
-ancient-aliens.net
-uvian.org
Flagged: http://urlquery.net/report.php?id=1440180136561

Left or not properly updated CMS plug-ins: 1-flash-gallery 1.8.1
wordpress-hit-counter latest release (2.6)
http://wordpress.org/extend/plugins/wordpress-hit-counter/

Warning User Enumeration is possible
The first two user ID’s were tested to determine if user enumeration is possible.

User ID 1 : devarondlh
User ID 2 : Managed WordPress Migration User
It is recommended to rename the admin user account to reduce the chance of brute force attacks occurring. As this will reduce the chance of automated password attackers gaining access. However it is important to understand that if the author archives are enabled it is usually possible to enumerate all users within a WordPress installation.

Only the first two user ID’s were tested with this scan, use the Nmap NSE enumeration scripts (use your own Nmap installation or try option 2 below) to discover additional user ID’s.

polonus (volunteer website security analyst and website error-hunter)

Interesting background info
http://stayaway2.blogspot.com/2013_12_15_archive.html

Update - Yandex reports the SEO spam aka TrojWare.JS.Agent.caa here: http://killmalware.com/www.logrobus.com/
See: Trojans detected:
Object: -http://www.logrobus.com/
SHA1: 2141fee5d637f7aa1b8a88f639d0d789e6380850
Name: TrojWare.JS.Agent.caa
Known javascript malware. Details: http://sucuri.net/malware/entry/MW:SPAM:SEO?g12
t=‘’;}}x[l-a]=z;}document.write(‘<’+x[0]+’ ‘+x[4]+’>.‘+x[2]+’{‘+x[1]+’}</‘+x[0]+’>');}dnnViewState();
Quttera flags 5 malicious files: /index.php/index.html; /index.php/localiz; /index.html; /# & /a

 [[function dnnViewState]]

Web application version:
Joomla Version 3.0.2 found at: -http://www.logrobus.com/administrator/manifests/files/joomla.xml
Joomla version outdated: Upgrade required.
Outdated Joomla Found: Joomla under 3.4.5

-http://www.logrobus.com
Detected libraries:
jquery - 1.8.1 : -http://www.logrobus.com/media/jui/js/jquery.min.js
Info: Severity: medium
http://bugs.jquery.com/ticket/11290
http://research.insecurelabs.org/jquery/test/
jquery - 1.5.2 : -http://www.logrobus.com/modules/mod_AutsonSlideShow/js/jquery-1.5.2.min.js
Info: Severity: medium
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4969
http://research.insecurelabs.org/jquery/test/
Info: Severity: medium
http://bugs.jquery.com/ticket/11290
http://research.insecurelabs.org/jquery/test/
2 vulnerable libraries detected

Re: https://urlquery.net/report.php?id=1446297009695

The vulnerability in BreezingForms can be exploited by malbots: https://crosstec.org/en/forums/3-breezingforms-for-joomla/32308-spam-bots-vulnerability.html A security update is available!

polonus (volunteer website security analyst and website eror-hunter)

Update here we see the trojan again: Trojans detected:
Object: -http://grandtech.biz/about-us/2-uncategorised/24-managing-directora?%3
SHA1: 2755cb23375e8c7229eb72da2a11963485f4337c
Name: TrojWare.JS.Agent.caa
See IP badness history: https://www.virustotal.com/nl/ip-address/173.254.59.97/information/
See: https://www.virustotal.com/nl/url/96f46841444054c1808e3d859579fa7d5caf17938d906aa3da66620ee1b1ef9c/analysis/
adgtracking insecurities on external link: -http://www.clickcarloans.co.uk/ well, while -http://stats.uniquecontentmarketing.co.uk/piwik.js gets blocked by Adguard for me…

Vulnerable libraries: http://grandtech.biz
Detected libraries:
jquery - 1.5.2 : (active1) -http://grandtech.biz/modules/mod_AutsonSlideShow/js/jquery-1.5.2.min.js
Info: Severity: medium
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4969
http://research.insecurelabs.org/jquery/test/
Info: Severity: medium
http://bugs.jquery.com/ticket/11290
http://research.insecurelabs.org/jquery/test/
jquery - 1.6.4 : -http://grandtech.biz/templates/greentech/jquery.js
Info: Severity: medium
http://bugs.jquery.com/ticket/11290
http://research.insecurelabs.org/jquery/test/
(active) - the library was also found to be active by running code
2 vulnerable libraries detected

Get a server error initially for this eternal link: -https://static.xx.fbcdn.net/rsrc.php later resolving to CavalryLogger.start_js

polonus (OK that is almost reporting this year round :wink: )

Thanks, Pondus, for confirming broad detection here: https://www.virustotal.com/nl/file/797d0c8902bae3e0d3910b13d3ef34d1decdf3f8fed1ff60f516cd229e0be395/analysis/1449069520/

polonus