kryptik.ak threat detected on one website

NOD32 v 4.2.71.2 is notifying me of a kryptik.ak trojan. It's only detected on this one website which I use as my web based twitter client. kanvaso.com. I contacted Kanvaso and they are telling me that my PC is more than likely infected. I've run complete NOD32 and Malwarebytes scans and no threats are ever detected. I had been able to visit kanvaso.com just fine until this morning. Any advice would be greatly appreciated. Thank you.

http://i2.photobucket.com/albums/y18/robdam/other/ScreenShot001-5.jpg
http://i2.photobucket.com/albums/y18/robdam/other/Capture-3.jpg

 

JS/Kryptik.AK is detection of an obfuscation method exploited by malware authors to make the code unreadable by human and to evade detection by security software. The vendor should think twice before implementing such an obfuscation method on their website.

 

Can it be eradicated? If so, how? Is it harmful? why is it only manifested on this one web address/website? Thank you for your prompt reply.

 

Since the code is on the vendor's website, it can be removed only by the vendor. Instead of obfuscating code and thus making the web page suspicious to scanners, they could either use unencrypted code or write the code in php or another language that is interpreted by the server and is not downloaded by clients connecting to the website.

In this case it could be a legit code which is, however, obfuscated using a method exploited by malware writers to make the code unreadable by human and to evade detection by security software.

 

As usual, I'm confused, lol. Am I infected? What should I tell the programmers at Kanvaso? Thank you again for your time & advice. Both are greatly appreciated.

 

Is it me or what. Just because something is labeled JS/Kryptik.AK does not mean it really is. I went to this site with 3 other very good products and not a one peeped. It could also be a FP and the OP needs to know that.

 

So why would this FP appear out of the blue? I have been visiting this website for nearly a year without any issues or threats detected. How do I address this is if it is in fact a FP? Thank you .

 

It normally comes from 2 things. Actual malware on the site, or the vendor cranking their hueristic settings a tad to high. It may be real so you do have to proceed with caution.

 

So either way it's on their end?

 

If you are not sure about it,you can check the link at this website to know whether it is malicious or not:http://urlvoid.com/
Anyway,when I analyzed it with VirusTotal and ESET was only the one that detected this linl as malicious:http://www.virustotal.com/file-scan/report.html?id=ede4fa9106307552278254d7adb52d6b8873680fb3ff6609e8f30b093193fa9b-1304658679
So it is probably FP.

 

No, it isn't. As I wrote, it's a detection of a malware-like obfuscation method that webmaster should avoid using it.

 

Obfuscation has more disadvantages then advantages.
It makes the script to look like malware, it introduces non-zero delay each time prior execution or in emulation (the unpacking simply takes computing cycles).
Some web-desingers I have been in contact thinks the particular obfuscation cryptor detected by the JS/Kryptik.AK gives them good copy protection. This is just a false feeling. A person interested in obtaining the original source code is the most probably an experienced JS coder having no-problem to decode the script. Even a person with average JavaScript knowledge is able to do that in one minute without any difficulty.
Partial advantage of some JS obfustators is the fact they can reduce the size of the JavaScript code. There is even better method of reducing the bandwidth: The webserver can be enabled to use the GZIP Compression so the HTTP responses will be compressed. The webserver compression ratio is much better than with the JS packers. Using the JS packer and server side compression together is often worse than using the original script with the server side compression only. It does not make sense to compress the same thing two times.

 

Understood

 

Thanks for the explanation.

 

I'm receiving the same threat detected on 6 PC's all running NOD32. So it's either a FP or it's on Kanvaso's end. They, as expected, are telling me the issue is on my end, lol. See their response below:


"We haven't changed our code for months. We did obfuscated our JS code, but it had been done long time ago. Your malware's alarm should be false positive. Otherwise, other folks should've reported the same issue. But we haven't gotten any. Anyways, thank you for your effort to investigate the issue. We do appreciate it. "

 

I think it's a FP. Otherwise other AV vendors would detect it too. I entered this site with 3 other security vendors including ESET and it was the only one that detected it.

 

It is also being seen on -nectar.com- Javascripts
-www.nectar.com/contents/scripts/cctracker.system.js-

While I can understand the webmaster is using bad styles of Obfuscation - I am not sure how to explain what Obfuscation is to my sister or why it is causing her issues - and if FP that is stopping her do what she wants she won't be happy!

 

Is there a way to edit NOD32 so that it ignores Kanvaso web address?

 

I have a Firefox Extension, which can be downloaded from http://www.dubser.com. I'm developing it. It is free for download, but I don't want others to be able to steal my ideas easily cause I want to develop a commercial version of it later, this is why an obfuscated javascript file is included. The extension is clean for sure and it is digitally signed as an extra protection. This software is absolutely secure. Nod32 is the only antivirus software which sends this file into quarantine. I think it is a rash generalization made by Nod32 that all of the obfuscated javascript files are malicious. Similarly we can say that all those who has a knife at home are serial killers for sure. This is foolish. I understand that virus protection is not a trivial task, but the algorithm used by Nod32 should be much more sophisticated, cause - with a behavior like this - Nod32 can easily damage businesses of others. I hope Nod32 will fix this bug soon in their software.

 

Great reply, thank you. The thing that strikes me as being odd is that I had been using Kanvaso quite happily for months in unison with NOD32 without any red flags. Why now? why all of a sudden?

 

Hi Ncsapko and welcome to the wilders,
Did you read my previous post https://www.wilderssecurity.com/showpost.php?p=1868378&postcount=12 about obfuscation disadvantages?
The obfuscation you use is unsuitable as a good copy protection as the decompression is indeed easy for average JS coder:

Some developers already confirmed they are moving away from the particular obfuscator used here. Will you stop using obfuscation at all or will you choose another one (stronger and not used by malware makers)?

 

Hi Danieln and thank you for your response. I read your previous post. I've never thought that obfuscation is a good protection against stealing the ideas even if stronger obfuscation is used. To tell the truth, there is no good solution to protect ideas in software industry, anyway. My goal was just not to enable it without extra efforts required. My problem with Nod32 is exactly this, cause if I put the original javascript file into my extension without obfuscating it, the Nod32 handles this original file as a clean content. If the obfuscation I used is so weak, why can't Nod32 remove this protection and check the original content This is what I'm talking about: the algorithm used by Nod32 is not sophisticated enough. If the developers of Nod32 has made the efforts removing the obfuscation, my extension would be handled secure.

 

I appreciate you decided to share your opinion.
There is also the performance issue which I have already mentioned. A plain JavaScript code analysis itself is not a trivial task. Making the engine to exhaustive search, generically unpack and analyze all layers of possible obfuscation can introduce an unpleasant delay on many complex websites so this is not a good solution.
Are you insisting on using the same obfuscation which is being detected here or is it acceptable for you to choose another one?
Also, it would be fine if you could put a header (comment) in the beginning of the file with some useful info about application, author and version. These data will introduce a traceability to the file which could be used in decision whether trigger the file or not.
Obfuscation cause problems, we welcome when it is avoided where possible.

 

Following recived from Nectar.com who I have been liasing with since having the above "trojan" detected by eset.

"Dear xxxx

Nectar Card number: 9826 3000 ....................

Your Current Points Balance: 8,753

Thank you for contacting us regarding the difficulties you have been experiencing with the Nectar website.

I am pleased to able to reassure you that there is no Trojan virus on the Nectar website. The error was the result of a problem within Javascript, which only affected users of ESET Antivirus. This has now been resolved and the website updated so you should not have any further problems, however, if you do still get the same error message, please try clearing your cache with ESET.


Regards
Nectar Team"

So what ever the heck was going on with them and eset is now over!

 

All this info is fine and dandy but it does not solve MY ISSUE with NOD32 and Kanvaso.com