holpo
January 16, 2014, 10:25pm
1
see: http://quttera.com/detailed_report/www.urogulfinvestment.com → /Scripts/AC_RunActiveContent.js
Severity: Malicious
Reason: Detected encoded JavaScript code commonly used to hide malicious behaviour.
Details: Malicious
Offset: 6195
Threat dump: see: #19 JavaScript::Script (size: 10563, repeated: 1) - Alert detect on script (Severity: 2) on http://urlquery.net/report.php?id=8846972
File size[byte]: 10563
File type: ASCII
MD5: 47B6D6DC8811C70E77F3B5A2CD0B60AA
Scan duration[sec]: 0.006000
Confirmed here: http://zulu.zscaler.com/submission/show/6adadf8118110720bf3f85e58ecf5a21-1389910689
and here: http://urlquery.net/report.php?id=8846972
Site blacklisted and likely compromised: http://sitecheck.sucuri.net/results/www.urogulfinvestment.com/
See: http://maldb.com/www.urogulfinvestment.com/ Mal/Iframe-W.
AV report:
AntiVirJS/Dldr.Agent.gpq
AvastJS:Agent-QD [Trj]
BkavMW.Clod47a.Trojan.3c32
IkarusTrojan.JS.PhoexRef
RisingJS:Trojan.Script.JS.PhoexRef.a!1609327
TrendMicro-HouseCallTROJ_GEN.F47V1213
ComodoTrojWare.JS.Agent.BB
McAfee-GW-EditionJS/Exploit-Blacole.bm
MicrosoftTrojan:JS/PhoexRef.F
McAfeeJS/Exploit-Blacole.bm
AVGScript/Exploit.Kit
pol
holpo
January 16, 2014, 10:47pm
2
LS,
Read on counter.php attacks → counter.php>; rel=“canonical”.
The counter.php strain of malware is leveraging its redirect functionality to send victims to websites serving up the Styx exploit kit. Sucuri’s Tomy Perez on this attack: http://blog.sucuri.net/2012/07/website-malware-removal-counter-php.html
and Vicente Diaz with this article: http://www.securelist.com/en/blog/9151/Visit_from_an_old_friend_Counter_php
So WP issues, outdated WP and javascript malcode are ingredients for these counter.php malware redirects.
A php security scanner can be found here: http://evuln.com/tools/php-security/
pol
holpo
January 17, 2014, 7:16am
3
Quttera results give this as VT file scan results: https://www.virustotal.com/nl/file/120fdca70ef210023700733571a8a967b952e5ee0d1f49fc120d3a30be232018/analysis/1389914725/ (thanks to Pondus!)
avast! does not detect JS/Dldr.Agent.gpq or TrojWare.JS.Agent.BB malware there. Could this be a false positive detection according to an earlier analysis at Majorgeelks?
Some av solutions still adding the malcode to their detection: AC_RunActiveContent.js there as Exploit.AJN by Norman’s for instance.
So the debate is still going on.
Well we gonna give the old pinpoint executable a twirl inside sandboxie (see attachments) and also do a scan at Anubis.
Pinpoint logs could have been blocked by the avast! Webshield!
Seems that for this site also this domain played a role in the spreading of this malcode. e.g.: htxp://engine.adzerk.net/
Read this: http://meta.stackoverflow.com/questions/95504/why-do-some-so-adverts-seem-to-pass-rep-as-an-url-parameter
link article author = Tom White.
This demonstrates again beyond a shred of doubt why the browser-user to-day should at least have a decent ad-blocking extension enabled in the browser.
One could think of for instance the ABP extension or the Bluhell firewall extension against tracking issues.
Additional scanning:
See: http://jsunpack.jeek.org/?report=bf5e6cb1380c7ac41443f7141a915f9693db7a9a
See: http://anubis.iseclab.org/?action=result&task_id=143a312b558ae6af4a903eaf0dcafb7e4&format=html
On there this was striking:
“@C :\WINDOWS\System32\wshext.dll,-4804”=“JScript Script File” “@C :\WINDOWS\System32\wshext.dll,-4805”=“JScript Encoded Script File” will produce unwanted pop-ups.
2, Multi-client code → 0x5400630070006900700000004e0065007400420049004f005300000000
Here follows an important scan that confirms the direct malcode link: http://app.webinspector.com/public/reports/19523206
No alerts detected here: http://urlquery.net/report.php?id=8866039
But detection and alerts on Recent reports on same IP/ASN/Domain: http://urlquery.net/report.php?id=8846972
and an earlier report yet: http://urlquery.net/report.php?id=422748 is being blocked by avast! Webshield as infested by KS:Includer-NS[Trj].
Assumption site has malcode and has now been cleansed? This is an assumption on basis of the recent urlquery dot net scans for this site!
pol