kryptik.ak threat detected on one website

Discussion in 'ESET NOD32 Antivirus' started by robdam1001, May 5, 2011.

Thread Status:
Not open for further replies.
  1. robdam1001

    robdam1001 Registered Member

    Joined:
    May 5, 2011
    Posts:
    17
    NOD32 v 4.2.71.2 is notifying me of a kryptik.ak trojan. It's only detected on this one website which I use as my web based twitter client. kanvaso.com. I contacted Kanvaso and they are telling me that my PC is more than likely infected. I've run complete NOD32 and Malwarebytes scans and no threats are ever detected. I had been able to visit kanvaso.com just fine until this morning. Any advice would be greatly appreciated. Thank you.

    http://i2.photobucket.com/albums/y18/robdam/other/ScreenShot001-5.jpg
    http://i2.photobucket.com/albums/y18/robdam/other/Capture-3.jpg
     
  2. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    JS/Kryptik.AK is detection of an obfuscation method exploited by malware authors to make the code unreadable by human and to evade detection by security software. The vendor should think twice before implementing such an obfuscation method on their website.
     
  3. robdam1001

    robdam1001 Registered Member

    Joined:
    May 5, 2011
    Posts:
    17
    Can it be eradicated? If so, how? Is it harmful? why is it only manifested on this one web address/website? Thank you for your prompt reply.
     
  4. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Since the code is on the vendor's website, it can be removed only by the vendor. Instead of obfuscating code and thus making the web page suspicious to scanners, they could either use unencrypted code or write the code in php or another language that is interpreted by the server and is not downloaded by clients connecting to the website.

    In this case it could be a legit code which is, however, obfuscated using a method exploited by malware writers to make the code unreadable by human and to evade detection by security software.
     
  5. robdam1001

    robdam1001 Registered Member

    Joined:
    May 5, 2011
    Posts:
    17
    As usual, I'm confused, lol. Am I infected? What should I tell the programmers at Kanvaso? Thank you again for your time & advice. Both are greatly appreciated.
     
  6. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,057
    Location:
    North Carolina
    Is it me or what. Just because something is labeled JS/Kryptik.AK does not mean it really is. I went to this site with 3 other very good products and not a one peeped. It could also be a FP and the OP needs to know that.
     
  7. robdam1001

    robdam1001 Registered Member

    Joined:
    May 5, 2011
    Posts:
    17

    So why would this FP appear out of the blue? I have been visiting this website for nearly a year without any issues or threats detected. How do I address this is if it is in fact a FP? Thank you .
     
  8. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,057
    Location:
    North Carolina
    It normally comes from 2 things. Actual malware on the site, or the vendor cranking their hueristic settings a tad to high. It may be real so you do have to proceed with caution.
     
  9. robdam1001

    robdam1001 Registered Member

    Joined:
    May 5, 2011
    Posts:
    17

    So either way it's on their end?
     
  10. yongsua

    yongsua Registered Member

    Joined:
    Feb 9, 2011
    Posts:
    474
    Location:
    Malaysia
    Last edited: May 6, 2011
  11. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    No, it isn't. As I wrote, it's a detection of a malware-like obfuscation method that webmaster should avoid using it.
     
  12. danieln

    danieln Eset Staff

    Joined:
    Jan 7, 2009
    Posts:
    112
    Obfuscation has more disadvantages then advantages.
    It makes the script to look like malware, it introduces non-zero delay each time prior execution or in emulation (the unpacking simply takes computing cycles).
    Some web-desingers I have been in contact thinks the particular obfuscation cryptor detected by the JS/Kryptik.AK gives them good copy protection. This is just a false feeling. A person interested in obtaining the original source code is the most probably an experienced JS coder having no-problem to decode the script. Even a person with average JavaScript knowledge is able to do that in one minute without any difficulty.
    Partial advantage of some JS obfustators is the fact they can reduce the size of the JavaScript code. There is even better method of reducing the bandwidth: The webserver can be enabled to use the GZIP Compression so the HTTP responses will be compressed. The webserver compression ratio is much better than with the JS packers. Using the JS packer and server side compression together is often worse than using the original script with the server side compression only. It does not make sense to compress the same thing two times.
     
  13. yongsua

    yongsua Registered Member

    Joined:
    Feb 9, 2011
    Posts:
    474
    Location:
    Malaysia

    Understood:D
     
  14. yongsua

    yongsua Registered Member

    Joined:
    Feb 9, 2011
    Posts:
    474
    Location:
    Malaysia
    Thanks for the explanation.
     
  15. robdam1001

    robdam1001 Registered Member

    Joined:
    May 5, 2011
    Posts:
    17
    I'm receiving the same threat detected on 6 PC's all running NOD32. So it's either a FP or it's on Kanvaso's end. They, as expected, are telling me the issue is on my end, lol. See their response below:


    "We haven't changed our code for months. We did obfuscated our JS code, but it had been done long time ago. Your malware's alarm should be false positive. Otherwise, other folks should've reported the same issue. But we haven't gotten any. Anyways, thank you for your effort to investigate the issue. We do appreciate it. "
     
  16. LethalBoy

    LethalBoy Registered Member

    Joined:
    Aug 10, 2008
    Posts:
    119
    I think it's a FP. Otherwise other AV vendors would detect it too. I entered this site with 3 other security vendors including ESET and it was the only one that detected it.
     
  17. JimmyTheHand

    JimmyTheHand Registered Member

    Joined:
    May 6, 2011
    Posts:
    1
    It is also being seen on -nectar.com- Javascripts
    -www.nectar.com/contents/scripts/cctracker.system.js-

    While I can understand the webmaster is using bad styles of Obfuscation - I am not sure how to explain what Obfuscation is to my sister or why it is causing her issues - and if FP that is stopping her do what she wants she won't be happy!
     
  18. robdam1001

    robdam1001 Registered Member

    Joined:
    May 5, 2011
    Posts:
    17
    Is there a way to edit NOD32 so that it ignores Kanvaso web address?
     
  19. ncsapko

    ncsapko Registered Member

    Joined:
    May 9, 2011
    Posts:
    2
    I have a Firefox Extension, which can be downloaded from http://www.dubser.com. I'm developing it. It is free for download, but I don't want others to be able to steal my ideas easily cause I want to develop a commercial version of it later, this is why an obfuscated javascript file is included. The extension is clean for sure and it is digitally signed as an extra protection. This software is absolutely secure. Nod32 is the only antivirus software which sends this file into quarantine. I think it is a rash generalization made by Nod32 that all of the obfuscated javascript files are malicious. Similarly we can say that all those who has a knife at home are serial killers for sure. This is foolish. I understand that virus protection is not a trivial task, but the algorithm used by Nod32 should be much more sophisticated, cause - with a behavior like this - Nod32 can easily damage businesses of others. I hope Nod32 will fix this bug soon in their software.
     
  20. robdam1001

    robdam1001 Registered Member

    Joined:
    May 5, 2011
    Posts:
    17

    Great reply, thank you. The thing that strikes me as being odd is that I had been using Kanvaso quite happily for months in unison with NOD32 without any red flags. Why now? why all of a sudden?
     
  21. danieln

    danieln Eset Staff

    Joined:
    Jan 7, 2009
    Posts:
    112
    Hi Ncsapko and welcome to the wilders,
    Did you read my previous post https://www.wilderssecurity.com/showpost.php?p=1868378&postcount=12 about obfuscation disadvantages?
    The obfuscation you use is unsuitable as a good copy protection as the decompression is indeed easy for average JS coder:
    decoding_test.png
    Some developers already confirmed they are moving away from the particular obfuscator used here. Will you stop using obfuscation at all or will you choose another one (stronger and not used by malware makers)?
     
  22. ncsapko

    ncsapko Registered Member

    Joined:
    May 9, 2011
    Posts:
    2
    Hi Danieln and thank you for your response. I read your previous post. I've never thought that obfuscation is a good protection against stealing the ideas even if stronger obfuscation is used. To tell the truth, there is no good solution to protect ideas in software industry, anyway. My goal was just not to enable it without extra efforts required. My problem with Nod32 is exactly this, cause if I put the original javascript file into my extension without obfuscating it, the Nod32 handles this original file as a clean content. If the obfuscation I used is so weak, why can't Nod32 remove this protection and check the original contento_O This is what I'm talking about: the algorithm used by Nod32 is not sophisticated enough. If the developers of Nod32 has made the efforts removing the obfuscation, my extension would be handled secure.
     
  23. danieln

    danieln Eset Staff

    Joined:
    Jan 7, 2009
    Posts:
    112
    I appreciate you decided to share your opinion.
    There is also the performance issue which I have already mentioned. A plain JavaScript code analysis itself is not a trivial task. Making the engine to exhaustive search, generically unpack and analyze all layers of possible obfuscation can introduce an unpleasant delay on many complex websites so this is not a good solution.
    Are you insisting on using the same obfuscation which is being detected here or is it acceptable for you to choose another one?
    Also, it would be fine if you could put a header (comment) in the beginning of the file with some useful info about application, author and version. These data will introduce a traceability to the file which could be used in decision whether trigger the file or not.
    Obfuscation cause problems, we welcome when it is avoided where possible.
     
  24. poo bear

    poo bear Registered Member

    Joined:
    Dec 4, 2007
    Posts:
    15
    Following recived from Nectar.com who I have been liasing with since having the above "trojan" detected by eset.

    "Dear xxxx

    Nectar Card number: 9826 3000 ....................

    Your Current Points Balance: 8,753

    Thank you for contacting us regarding the difficulties you have been experiencing with the Nectar website.

    I am pleased to able to reassure you that there is no Trojan virus on the Nectar website. The error was the result of a problem within Javascript, which only affected users of ESET Antivirus. This has now been resolved and the website updated so you should not have any further problems, however, if you do still get the same error message, please try clearing your cache with ESET.


    Regards
    Nectar Team"

    So what ever the heck was going on with them and eset is now over!
     
  25. robdam1001

    robdam1001 Registered Member

    Joined:
    May 5, 2011
    Posts:
    17
    All this info is fine and dandy but it does not solve MY ISSUE with NOD32 and Kanvaso.com
     
Thread Status:
Not open for further replies.