Analysis of password-strength page at unwrongest website (split from password thread)

Discussion in 'malware problems & news' started by Sully, Jul 21, 2010.

Thread Status:
Not open for further replies.
  1. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    Re: Passwords that are Simple--and Safe

    Iron gave me a warning about this site possibly containing malware ... Danger Will Robinson, Danger lol.

    Sul.
     
  2. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,054
    Re: Passwords that are Simple--and Safe

    Hi Sully

    I've been using that site for quite some time, with nothing evident. It may be the script they use to determine the time, but nothing wrong is evident.

    Pete
     
  3. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    5,829
    Location:
    Last Breath Farm
    Re: Passwords that are Simple--and Safe

    avast doesn't like unwrongest.com/projects/password-strength one bit...
     

    Attached Files:

  4. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,054
    Re: Passwords that are Simple--and Safe

    Well I don't like Avast, but that doesn't make it bad. Then there are false positives. I go to that sight and I see nothing bad happen.
     
  5. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    5,829
    Location:
    Last Breath Farm
    Re: Passwords that are Simple--and Safe

    You're comparing yourself to an antivirus company? o_O
    When I clicked on the link in your post, the object that avast said was infected was... plum . karenegren . com / data / mootools . js .
    What happens when you put that in your browser?
     
  6. JRViejo

    JRViejo Global Moderator

    Joined:
    Jul 9, 2008
    Posts:
    20,976
    Location:
    U.S.A.
    Re: Passwords that are Simple--and Safe

    Page42, I ran unwrongest.com and plum . karenegren . com through URLVoid to check for malicious Web site content and both came out clean.

    Then, I ran plum . karenegren . com / data / mootools . js, via novirusthanks Multi-Engine Antivirus Scanner (Scan Web Address feature), and the file came out clean as well.
     
  7. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    5,829
    Location:
    Last Breath Farm
    Re: Passwords that are Simple--and Safe

    Thanks so much for the input, JR.
    I found a mention on Sucuri site stating that encoded javascript was loading malware from:
    * . karenegren . com / data / mootools . js
     

    Attached Files:

  8. JRViejo

    JRViejo Global Moderator

    Joined:
    Jul 9, 2008
    Posts:
    20,976
    Location:
    U.S.A.
    Re: Passwords that are Simple--and Safe

    Page42, you're welcome!

    The funny thing is that I took a look at the Source Code, CSS & JavaScript Information for unwrongest.com, using my FF Web Developer add-on, and that JavaScript file is not found anywhere on that site. I'm at a loss to explain its existence.
     
  9. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    5,829
    Location:
    Last Breath Farm
    Re: Passwords that are Simple--and Safe

    Now I'm getting a different threat detection from that site...
    gray . edisonsnightclub . com / data / mootools . js [L] JS:Illredir-CL [Trj] (0)
     

    Attached Files:

  10. JRViejo

    JRViejo Global Moderator

    Joined:
    Jul 9, 2008
    Posts:
    20,976
    Location:
    U.S.A.
    Re: Passwords that are Simple--and Safe

    Page42, while a Web site's chance of having a server's Data folder is great, it does seem odd that two different domains have the same JavaScript file. Yet, a WHOIS reveals that both edisonsnightclub . com and karenegren . com resolve to the same IP 208.69.90.137. Unwrongest.com does not: IP 64.13.192.129. Run a check of your system with various tools to eliminate it from possible contamination.
     
  11. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    5,829
    Location:
    Last Breath Farm
    Re: Passwords that are Simple--and Safe

    You just described my life, JR. ;)
    Will do. :)
     
  12. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    5,829
    Location:
    Last Breath Farm
    Re: Passwords that are Simple--and Safe

    I accessed that site from a different computer (albeit one on my home LAN) and avast web shield complained again...
    brown . emapis . org / data / mootools . js [L] JS:Illredir-CL [Trj] (0)
    I'm running a boot-time scan now, but daily Hitman Pro, avast and MBAM scans don't reveal any problems on my computers, JR.
     

    Attached Files:

  13. Sadeghi85

    Sadeghi85 Registered Member

    Joined:
    Dec 20, 2009
    Posts:
    747
    Re: Passwords that are Simple--and Safe

    I don't know if that JS file is malicious or not, but it's there.

    mootools.png
     
  14. vlk

    vlk AV Expert

    Joined:
    Dec 26, 2002
    Posts:
    618
    Re: Passwords that are Simple--and Safe

    Page42, it's definitely not a false positive.


    BTW,

    Most likely a referrer thing. Very common these days. The malicious content doesn't get served for arbitrary request, just if you're coming from a specific source. Also may be based on geoIP and similar things.

    Thanks
    Vlk
     
  15. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    5,829
    Location:
    Last Breath Farm
    Re: Passwords that are Simple--and Safe

    Thanks for the input, Vlk.
    Different threat detections keep coming from that page...
    white . edisonsnightclub . com / data / mootools . js [L] JS:Illredir-CL [Trj] (0)
     
  16. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    5,829
    Location:
    Last Breath Farm
    Re: Analysis of password-strength page at unwrongest website

    Analysis Report for " white . edisonsnightclub . com / data / mootools . js "
    from Anubis malware analyzing service...

    Summary:
    - Changes security settings of Internet Explorer:
    This system alteration could seriously affect safety surfing the World
    Wide Web.

    - Performs File Modification and Destruction:
    The executable modifies and destructs files which are not temporary.

    - Performs Registry Activities:
    The executable reads and modifies registry values. It also creates and
    monitors registry keys.
     

    Attached Files:

  17. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    5,829
    Location:
    Last Breath Farm
    Re: Analysis of password-strength page at unwrongest website

    I do like avast, and right now I'm glad I use it. :thumb:

    Analysis Report for unwrongest.com/projects/password-strength/

    Summary:
    - Changes security settings of Internet Explorer:
    This system alteration could seriously affect safety surfing the World
    Wide Web.

    - Performs File Modification and Destruction:
    The executable modifies and destructs files which are not temporary.

    - Performs Registry Activities:
    The executable reads and modifies registry values. It also creates and
    monitors registry keys.
     

    Attached Files:

  18. JRViejo

    JRViejo Global Moderator

    Joined:
    Jul 9, 2008
    Posts:
    20,976
    Location:
    U.S.A.
    Re: Analysis of password-strength page at unwrongest website

    Page42, first of all, I'm not disputing your Anubis report because the results speak for themselves, yet I installed the FF JSView add-on that Sadeghi85 detailed in the Post and this is what I see at unwrongest.com/projects/password-strength/:

    2010-07-25_143155.gif

    No sign of the file in question. Looks like Vlk is correct ( Post ) in the assumption that the malware packaged JavaScript could be geoIP driven, since I don't see it here.

    This is very interesting thread and thanks to LowWaterMark for separating it so we can continue the discussion.
     
  19. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    5,829
    Location:
    Last Breath Farm
    Re: Analysis of password-strength page at unwrongest website

    JR, I agree that it is interesting, and I thank LWM for breaking the posts off into their own thread. I knew the analysis was off topic, yet had to keep going because the info kept coming.

    The site is still infected, with fast-changing threat objects, the latest being:
    aqua . karenegren . com / data / mootools . js [L] JS:Illredir-CL [Trj] (0)

    It strikes me as ironic that on a thread about simple and safe passwords, the discussion would inadvertently lead to the posting of a site that was harboring a trojan. I think that Pete's defense of that site, when told that a warning was being given, literally points to need for all of us to not assume that because something seemed okay yesterday, or even today, that it isn't in fact a harmful website, capable of dishing out bad stuff to unsuspecting visitors. The seriousness and pervasiveness of malware is demonstrated not only in the well-known fact that one security program may detect a threat that another may miss, but now we must also be cognizant of geoIP driven threats, which I presume means threats that are evident in some locations but not in others.

    I am really glad that this was not an avast! FP, and that Vlk was here to add his info. I have learned about some terrific new tools for analysis because of this thread.
     
  20. JRViejo

    JRViejo Global Moderator

    Joined:
    Jul 9, 2008
    Posts:
    20,976
    Location:
    U.S.A.
    Re: Passwords that are Simple--and Safe

    Glad to read that no issues exist at your end, Page42!

    Emapis . org resolves to a different IP ( 64.182.83.132 ) than the other two domains. It looks like the addition of named colors follows what your Sucuri Malware database link exposed.
     
  21. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    5,829
    Location:
    Last Breath Farm
    Re: Passwords that are Simple--and Safe

    You and me both. :) Running my browser in OA's RunSafer gives me greater confidence, coupled with all avast! real-time shields and MBAM's protection module. I seem to have hit upon (for me) a blend of light-running apps that offer decent protection. (And the boot-time scan came up clean.)
     
  22. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Has anyone seen this file? I've not seen it in the cache with IE6 or Opera. Opera doesn't list the file in Info on that page.

    Has anyone found any bad stuff? I haven't observed anything.

    But one possibility:

    It maybe that files on the server are infected and the sites they point to are no longer working. Therefore, nothing shows up.

    See:

    http://forum.avast.com/index.php?topic=60598.0




    ----
    rich
     
    Last edited: Jul 25, 2010
  23. JRViejo

    JRViejo Global Moderator

    Joined:
    Jul 9, 2008
    Posts:
    20,976
    Location:
    U.S.A.
    Re: Analysis of password-strength page at unwrongest website

    There lies the rub, Page42. The human element injected into the malware equation is what bug writers are hoping to exploit. I'm not going to defend Pete yet I can see why someone could fall prey to this geoIP trickery.
    • He has been using that site and never seen an infection from it.
    • You visit the site and Avast puts up a fight, thus you report his post.
    • I check it with my tools and can't find a thing.
    • Sadeghi85 pipes in and says Hey, there's something there!
    • I use the same tool and still can't see anything.
    • Vlk comes into the thread and we (or at least I) learn something new: malware delivered to a specific location source.
    If there's a lesson to be learned, at this early stage of the thread, is that now more than ever, all of us need to be vigilant, no matter what site we think it's safe. Otherwise, it might come back to bite you! :ouch:
     
  24. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,878
    Location:
    New England
    Rich has the right idea here... Yes, avast! flags some malware. Yes, there might be something someone has not expected. But, still no one has actually found anything malicious. Many scripts look like malware. Many scripts are not a "f/p". Yet, many scripts don't actually do any damage. We need facts now. Can anyone say for a fact what the malicious activity is on that site? It's not enough to say it's something without saying what it is. I've hit that site many times and still can't see it actually doing anything. So, what is it exactly?
     
  25. JRViejo

    JRViejo Global Moderator

    Joined:
    Jul 9, 2008
    Posts:
    20,976
    Location:
    U.S.A.
    Well Rich, if YOU can't find it, we are in deeper trouble than we thought! :eek:

    Maybe Page42 can tell us if the file actually downloaded to his PC (looks to be only a prompt of malicious Web site content).
     
Loading...
Thread Status:
Not open for further replies.