kryptic-co False Positive

[mobiusnz 0]

Hi Team - A client of mine is getting popups from Eset on their own website. I've run Every URL scanner I can find and none of them find anything malicious.

The URL in question is www.studypass.com

Which of these do you think is most likely?

1) Outright False positive

2) Positive based on code on their site using obfuscation that is often used by malware?

3) They are actually infected?

Visiting their site on other machines doesn't show any unsual behaviour - I've had a client whose wordpress site was hacked (Not sure how, handed off to webhost/developer) but they had code injected that made it redirect to a third party site (ad revenue probably) but only on the first visit - So most people just scratched their head, tried again and put it down to a typo or a popup from another tab or something. I haven't been able to find popups and I even used the same browser on the same operating system (Windows 7) to make sure it wasn't only activating when the Client system was something it felt it could exploit. The browser session doesn't use any CPU time once loaded so it doesn't appear to be running any background processes (Bitcoin mining etc) so I'm really unsure if there is anything here without having access to the bare files on the webserver. I've forwarded information to the business for them to forward to their web dev but I've had people call themselves developers before when all they really did was use a Wordpress host and templates to bang up sites with no technical understanding of the underlying files etc.

 

Regards,

Matt

[Marcos 5,071]

If it's detected on ESET's website, it's unlikely to be FB. It could be your router that might have been hacked and is injecting a malicious script into downloaded web pages.

Please gather ELC with also "quarantined files" selected and post the generated archive here.

[mobiusnz 0]

This is the OMLY URL that is giving the errors so it’s not injection from the router. Also I can scan that URL with Virustotal which includes esets URL scanning tech and that comes back clean from all engines.

[Marcos 5,071]

Please provide ELC logs with also quarantined files selected prior to gathering them. I'd need to check the exact file that was detected.

[mobiusnz 0]

Hi Marcos - Thanks for responding - I don't have access to the machine at present. I have today spoken to the owner of the business who confirmed he spoke to a web dev who looked at their site and confirmed that due to an outdated version of wordpress their website had been compromised and code injected.

It was a very interesting injection that I'd love to have the chance to study/test as it didn't outwardly do anything but I'm wondering now if it was visiting sites to generate click throughs but loading the sites in a way that the user never saw as I did notice that the website would continue to say loading for some time after the site was visibly up. Today it doesn't do that anymore.

So although I was having my doubts I appologise as Eset seemed to be the only product that was doing its job well - Intriguing that none of the website scanners were finding the code.

[Marcos 5,071]

Quote

So although I was having my doubts I appologise as Eset seemed to be the only product that was doing its job well - Intriguing that none of the website scanners were finding the code.

Glad to hear that I was unable to reproduce the detection at that time but it could have been due to limitation to a specific browser or user's location, otherwise the malicious code wasn't injected.