Drive-by Download???

Discussion in 'other anti-trojan software' started by Kid Shamrock, Apr 30, 2007.

Thread Status:
Not open for further replies.
  1. Kid Shamrock

    Kid Shamrock Registered Member

    Joined:
    Apr 3, 2007
    Posts:
    207
    Hi everyone!

    Earlier today, I clicked on an adult website that was marked as safe by SiteAdvisor. As soon as the page opened, I got two popups from KIS that Trojans were attempting to load. Trojan-Downloader.JS.Small.dz and Trojan program Trojan-Downloader.JS.Agent.ex. Both Trojans were blocked and deleted successfully. After rebooting, I decided to experiment and went to the same website again. This time the page loaded with no popups at all!! I'm confused now about whether the first time was a false positive or what. I'm running XP fully patched, KIS 6.0.2.621, and A-squared AntiMalware realtime. SAS on demand. Has anyone else encountered something like this? BTW, there were no alerts from a-squared at all.


    Kid Shamrock
     
  2. TopperID

    TopperID Registered Member

    Joined:
    Oct 1, 2004
    Posts:
    1,527
    Location:
    London
    There wouldn't be an alert from A2 because it never got a sniff of the bogies. Although these things are called 'Trojans' by KAV, and other AVs, they are most likely to be exploits embedded into the web page - if the exploit succeeds it will then D/L actual trojans (ie executable files) onto your system.

    If you were running KAV's web-scanner it would have blocked the exploit code from being written to your HD, so there is no question of deleting the baddies since they never got in at all. If you were not running the web-scanner then they would have probably been written to your Temp Internet Files, whereupon your AV would have blocked them and, in that case, you would have needed to delete them via the file scanner. Personally I have my AV Guard configured to automatically delete such findings so that any pop-up I get is informational and requires no action.

    In these cases though, I always like to run a cache cleaner to clear out all junk in temp locations.

    I'm willing to bet that if you went to the same site with java script, vbs script, java applets and Active X etc all disabled in your browser, you would not get the pop-up from KAV. The reason being that since all dangerous code is being blocked by your system then KAV will have nothing coming its way in the first place. With all website mobile code blocked you are unlikely to be exploited succesfully (even though in theory it could happen, eg the .wmf exploit of a while back).
     
  3. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,697
    Hello,
    If you use Firefox to visit such sites - or any site for that matter - you will never see a popup... or an attempted drive-by or anything...
    Mrk
     
  4. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Can you post the link (as hxxp://) so we can look at the code?

    -rich
     
  5. The Hammer

    The Hammer Registered Member

    Joined:
    May 12, 2005
    Posts:
    5,619
    Location:
    Toronto Canada
    Maybe you should switch from SiteAdvisor. See this thread. https://www.wilderssecurity.com/showthread.php?p=994674#post994674
     
Thread Status:
Not open for further replies.