Hotmail & Java Script Trojan

Discussion in 'malware problems & news' started by TheKid7, Mar 1, 2011.

Thread Status:
Not open for further replies.
  1. TheKid7

    TheKid7 Registered Member

    Joined:
    Jul 22, 2006
    Posts:
    3,469
    This morning both my ESET NOD32 AV and AVGLinkscanner blocked a Java Script Trojan while I was on Hotmail. I was using Internet Explorer 7 (Sandboxed) at the time. I did not open any E-Mails at the time this happened. I think that I was in the process of deleting some E-Mails.

    Could moving the mouse pointer over an advertisement cause the attempted Trojan injection?

    Thanks in Advance.

    In the future, I will have to make sure that I keep the use of Internet Explorer at an absolute "Minimum". Firefox with Adblock Plus most likely would have prevented this.
     
  2. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    If you go to LinkScanner's history, you'll find what URL it blocked. ;)

    LinkScanner blocked it, because the JavaScript (Obfuscation - was this the alert?) was in the same URL; otherwise, it would only block if you actually entered a different URL within Hotmail.

    I don't think simply moving the mouse pointer over the ad would trigger it. The same for ESET. They simply scanned the URL. I'm not sure how ESET web scanner works - I just ran ESET for a very short time, a few years ago - but, I think it just flagged a trojan, while LinkScanner flagged JavaScript Obfuscation.

    Wasn't what happened a prevented attack? Both Eset and LinkScanner prevented it?

    Not to mention, you're running IE under Sandboxie's protection. I don't see why you would have to switch browsers; unless you want, of course. But, I don't see this as a reason.
     
  3. Ibrad

    Ibrad Registered Member

    Joined:
    Dec 8, 2009
    Posts:
    1,949
    My parents have gotten infected through ads on webmail sites before. After figuring out that was the source ad blockers were added. Can you share the log just to see if it was a hotmail ad that caused it.
     
  4. TheKid7

    TheKid7 Registered Member

    Joined:
    Jul 22, 2006
    Posts:
    3,469
    AVG Linkscanner Log (I placed xxxxxx's in place of part of the web address.):

    3/1/2011, 6:31:18 AM;"Exploit Blackhole Exploit Kit (type 1381)";"xxxxxxx.cz.cc/in.php?a=QQkFBg0MAwAFAgYAEkcJBQYNDAMCAQQHDQ=="

    ESET NOD32 Log (I placed xxxxxx's in place of part of the web address and left out my Computer and Username.)

    3/1/2011 6:31:20 AM HTTP filter file -http://xxxxxxx.cz.cc/dhgjkdghfdvcfdg.jar- a variant of Java/TrojanDownloader.OpenStream.NBF trojan connection terminated - quarantined Threat was detected upon access to web by the application: C:\Program Files\Java\jre6\bin\java.exe.
     
  5. Prole

    Prole Registered Member

    Joined:
    Feb 2, 2011
    Posts:
    36
    I'm curious; why are you still using IE-7 ?
     
  6. Ibrad

    Ibrad Registered Member

    Joined:
    Dec 8, 2009
    Posts:
    1,949
    Yeah that looks like what would come from an ad, you don't even need to move a mouse over the ad to have it start loading. My parents machine got hit with that same thing, every time the ad started loading it took over. They have not seen that prob since Adblocker Plus :)
     
  7. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    If the URL is the one I researched :D, then it's still serving the exploit, but not in hotmail any longer. I opened my account and nothing, or it could just be a different ad, which is totally possible.

    -edit-

    By the way, that exploit would target a vulnerable Java. LinkScanner blocked the exploit URL and Eset the *.jar file.

    It would also install a Fake AV. It's being detected by 7/43 according to VirusTotal.
     
    Last edited: Mar 1, 2011
  8. Ibrad

    Ibrad Registered Member

    Joined:
    Dec 8, 2009
    Posts:
    1,949
    @m00nbl00d

    Most likely depends on the ad. It took 3/4 cycles of ads running when my parents had that problem in order for script to hit the machine.
     
  9. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Yes, indeed.

    What TheKid7 experienced only comes to, once more, reveal there aren't safe websites/service; only legitimate and illegitimate, and as I previously said in another thread, legitimate websites/services at some point become the bad ones, and an unsuspected/unprotected user is hit by crap. :(
     
  10. TheKid7

    TheKid7 Registered Member

    Joined:
    Jul 22, 2006
    Posts:
    3,469
    I had upgraded to IE-8 on one of my other PC's shortly after IE-8 was released. I had some issues that annoyed me (I don't remember what they were.). There was no uninstall for IE-8. However, over time and Microsoft IE-8 updates the problem(s) appear to have "faded" away.

    I probably should go ahead and upgrade to IE-8 on this PC, but I just haven't yet done so.
     
  11. katio

    katio Guest

    All I see in a windows live account is ads for msn and ms messenger. Do they server ads containing javascript from 3rd party domains on their https live com websiteo_O
     
Loading...
Thread Status:
Not open for further replies.