Hotmail & Java Script Trojan

[TheKid7]

This morning both my ESET NOD32 AV and AVGLinkscanner blocked a Java Script Trojan while I was on Hotmail. I was using Internet Explorer 7 (Sandboxed) at the time. I did not open any E-Mails at the time this happened. I think that I was in the process of deleting some E-Mails.

Could moving the mouse pointer over an advertisement cause the attempted Trojan injection?

Thanks in Advance.

In the future, I will have to make sure that I keep the use of Internet Explorer at an absolute "Minimum". Firefox with Adblock Plus most likely would have prevented this.

[m00nbl00d]

If you go to LinkScanner's history, you'll find what URL it blocked.

LinkScanner blocked it, because the JavaScript (Obfuscation - was this the alert?) was in the same URL; otherwise, it would only block if you actually entered a different URL within Hotmail.

I don't think simply moving the mouse pointer over the ad would trigger it. The same for ESET. They simply scanned the URL. I'm not sure how ESET web scanner works - I just ran ESET for a very short time, a few years ago - but, I think it just flagged a trojan, while LinkScanner flagged JavaScript Obfuscation.

Quote:

Originally Posted by TheKid7

In the future, I will have to make sure that I keep the use of Internet Explorer at an absolute "Minimum". Firefox with Adblock Plus most likely would have prevented this.

Wasn't what happened a prevented attack? Both Eset and LinkScanner prevented it?

Not to mention, you're running IE under Sandboxie's protection. I don't see why you would have to switch browsers; unless you want, of course. But, I don't see this as a reason.

[Ibrad]

My parents have gotten infected through ads on webmail sites before. After figuring out that was the source ad blockers were added. Can you share the log just to see if it was a hotmail ad that caused it.

[TheKid7]

AVG Linkscanner Log (I placed xxxxxx's in place of part of the web address.):

3/1/2011, 6:31:18 AM;"Exploit Blackhole Exploit Kit (type 1381)";"xxxxxxx.cz.cc/in.php?a=QQkFBg0MAwAFAgYAEkcJBQYNDAMCAQQHDQ=="

ESET NOD32 Log (I placed xxxxxx's in place of part of the web address and left out my Computer and Username.)

3/1/2011 6:31:20 AM HTTP filter file -http://xxxxxxx.cz.cc/dhgjkdghfdvcfdg.jar- a variant of Java/TrojanDownloader.OpenStream.NBF trojan connection terminated - quarantined Threat was detected upon access to web by the application: C:\Program Files\Java\jre6\bin\java.exe.

[Prole]

Quote:

Originally Posted by TheKid7

I was using Internet Explorer 7 .

I'm curious; why are you still using IE-7 ?

[Ibrad]

Yeah that looks like what would come from an ad, you don't even need to move a mouse over the ad to have it start loading. My parents machine got hit with that same thing, every time the ad started loading it took over. They have not seen that prob since Adblocker Plus

[m00nbl00d]

If the URL is the one I researched , then it's still serving the exploit, but not in hotmail any longer. I opened my account and nothing, or it could just be a different ad, which is totally possible.

-edit-

By the way, that exploit would target a vulnerable Java. LinkScanner blocked the exploit URL and Eset the *.jar file.

It would also install a Fake AV. It's being detected by 7/43 according to VirusTotal.

[Ibrad]

@m00nbl00d

Most likely depends on the ad. It took 3/4 cycles of ads running when my parents had that problem in order for script to hit the machine.

[m00nbl00d]

Quote:

Originally Posted by Ibrad

@m00nbl00d

Most likely depends on the ad. It took 3/4 cycles of ads running when my parents had that problem in order for script to hit the machine.

Yes, indeed.

What TheKid7 experienced only comes to, once more, reveal there aren't safe websites/service; only legitimate and illegitimate, and as I previously said in another thread, legitimate websites/services at some point become the bad ones, and an unsuspected/unprotected user is hit by crap.

[TheKid7]

Quote:

Originally Posted by Prole

I'm curious; why are you still using IE-7 ?

I had upgraded to IE-8 on one of my other PC's shortly after IE-8 was released. I had some issues that annoyed me (I don't remember what they were.). There was no uninstall for IE-8. However, over time and Microsoft IE-8 updates the problem(s) appear to have "faded" away.

I probably should go ahead and upgrade to IE-8 on this PC, but I just haven't yet done so.

All I see in a windows live account is ads for msn and ms messenger. Do they server ads containing javascript from 3rd party domains on their https live com website