RogerVilca 0 Posted May 31, 2019 Share Posted May 31, 2019 Hi, Our ESET Endpoint Security is detecting repeatedly the malware JS/Agent.OCJ when the users are accesing the several digital news (several urls) I've watched in virusradar and apparently this malware is new. A couple of questions: ¿ This name is standard between diferent antimalware products ? I wonder why this malware is not reported by another products like McAfee or Karpersky (I searched in the web with no result) ¿ Is this a false alert ? Thanks in advance Roger Link to comment Share on other sites More sharing options...
Administrators Marcos 4,920 Posted June 1, 2019 Administrators Share Posted June 1, 2019 The detection is correct. Each vendor uses its own name for threats but sometimes it may be same. And why it is not reported by other vendors? Because they do not have the same engine / detection database. Some are better at detecting certain malware, some are worse. Link to comment Share on other sites More sharing options...
itman 1,630 Posted June 1, 2019 Share Posted June 1, 2019 (edited) If you click on the Eset Virusradar prevalence map, this malware is very much localized to Peru. This is one possible explanation for lack of detection by the other AV vendors listed at VirusTotal. The malware signature just hasn't been uploaded to the malware feed sources these other AV's use. Or since the malware is localized and incident occurances might be low, the other AV vendors consider its malware detection of low significance. Also this malware appears to be web site Javascript based. If the other AV solutions do not employ active browser based Javascript web filtering such as Eset does, it would be another explanation for lack of detection. Edited June 1, 2019 by itman Link to comment Share on other sites More sharing options...
chops 0 Posted June 3, 2019 Share Posted June 3, 2019 What's the best way to detect this particular malware - JS/Agent.OCJ ? I had a site visitor point out to me that my site has this. Sounds like it is in a javascript, maybe from one of my Wordpress plug-ins? Link to comment Share on other sites More sharing options...
Administrators Marcos 4,920 Posted June 3, 2019 Administrators Share Posted June 3, 2019 Hard to say. I see that it's injected mainly in js files. If you are not an ESET user, I'd strongly recommend downloading ESET Internet Security, installing it and activating a 30-day trial version. As you will browse your website, ESET will block and notify you when you encounter a malicious url. ESET uses a very strong detection of malicious scripts, hence it's often the only popular AV to detect and block malicious scripts which makes people think we must be reporting false positives but in fact they have their website compromised and infected. Link to comment Share on other sites More sharing options...
chops 0 Posted June 3, 2019 Share Posted June 3, 2019 Do you have any info about cleaning it from my website? Link to comment Share on other sites More sharing options...
Administrators Marcos 4,920 Posted June 3, 2019 Administrators Share Posted June 3, 2019 Remove the obfuscated malicious javascript and update WordPress and all plug-ins. For more tips how to harden WordPress, refer to https://wordpress.org/support/article/hardening-wordpress/. Link to comment Share on other sites More sharing options...
chops 0 Posted June 3, 2019 Share Posted June 3, 2019 HI Marcos - Thanks for the info. We always keep everything up to date. And my host provider checked from his end and couldn't find anything or reproduce it. It's either real tricky, or perhaps the visitor's browser had already been infected. Thanks much, Gary Link to comment Share on other sites More sharing options...
Administrators Marcos 4,920 Posted June 4, 2019 Administrators Share Posted June 4, 2019 5 hours ago, chops said: And my host provider checked from his end and couldn't find anything or reproduce it. Please provide the url but obfuscate the scheme (http or https) by using hxxp or hxxps instead so that it's not converted to a clickable link. Link to comment Share on other sites More sharing options...
chops 0 Posted June 4, 2019 Share Posted June 4, 2019 Thank you. My site is hxxps://chops.com Link to comment Share on other sites More sharing options...
itman 1,630 Posted June 4, 2019 Share Posted June 4, 2019 (edited) 1 hour ago, chops said: My site is hxxps://chops.com I am not getting any Eset alerts for this web site using Firefox. I am however using uBlock Origin and it is blocking at least 7 things on your web site. This leads me to believe the issue might the ads, trackers, etc. being displayed/used on the site. -EDIT- Primary suspect is getclicky.com. Other suspects are metrics.api.drift.com and event.api.drift.com. And it goes w/o saying that google-analytics is being used. Edited June 4, 2019 by itman Link to comment Share on other sites More sharing options...
chops 0 Posted June 4, 2019 Share Posted June 4, 2019 Hi Itman - The alert was for JS/Agent.OCJ, coming from a user. I have just started using Drift this week. What questions should I ask Drift - like are you responsible for malware? They seem like nice people! I am using Clicky - getclicky.com - for about three years now and haven't received any heads-up prior to this from anyone. How do I reproduce your test? We don't run any ads, just Drift to help people start conversations, Click and GA for tracking, Autopilot for Marketing Automation. And as I said, we just started with Drift, after closing our long-running account with SnapEngage. Link to comment Share on other sites More sharing options...
itman 1,630 Posted June 4, 2019 Share Posted June 4, 2019 1 hour ago, chops said: The alert was for JS/Agent.OCJ, coming from a user. I I disabled uBlock for your site and FireFox itself blocked getclicky.com. So my money is still on that as the source. Find out what browse/app the person was using when he received the Eset alert. Also, Eset might be throwing this detection in response to this issue: https://www.bleepingcomputer.com/news/security/windows-10-apps-hit-by-malicious-ads-that-blockers-wont-stop/ Link to comment Share on other sites More sharing options...
Administrators Marcos 4,920 Posted June 5, 2019 Administrators Share Posted June 5, 2019 I'm not getting any alert on the said website either. Please post the appropriate record with the full url from the Detection log. Link to comment Share on other sites More sharing options...
itman 1,630 Posted June 5, 2019 Share Posted June 5, 2019 (edited) 17 hours ago, chops said: The alert was for JS/Agent.OCJ, coming from a user My best guess at this point is the issue is on the user's end. Ask if he/she is from Peru. This Eset detection has so far been largely related to connections originating from that country. Very possible is the user has DNS hijack issues, whatever. They try to connect to your site but are being redirected to a site containing Javascript that Eset detects as JS/Agent.OCJ. As @Marcos just replied, we need a screen shot from the user's Eset Filtered Websites log that shows the URL/IP address associated with the alert. Edited June 5, 2019 by itman Link to comment Share on other sites More sharing options...
itman 1,630 Posted June 5, 2019 Share Posted June 5, 2019 Looks like I was right about my suspicions about getclicky.com: https://www.threatcrowd.org/domain.php?domain=getclicky.com Link to comment Share on other sites More sharing options...
RogerVilca 0 Posted June 25, 2019 Author Share Posted June 25, 2019 Hi, I found this log from out SIEM that collect events from our antimalware: <12>1 2019-06-25T15:19:28.509Z ldsantv ERAServer 1708 - - {"event_type":"Threat_Event","ipv4":"xx.xx.xx.xx","hostname":"hostname.domain","source_uuid":"70bd887a-8e34-4b1b-b7ac-8b1100ea7aa5","occured":"25-Jun-2019 15:17:51","severity":"Warning","threat_type":"trojan","threat_name":"JS/Agent.OCJ","scanner_id":"Script scanner","scan_id":"virlog.dat","engine_version":"19582 (20190625)","object_type":"file","object_uri":"https://s3.amazonaws.com/assets-manager-dig/output/assets/js/prebid.js","action_taken":"blocked","threat_handled":true,"need_restart":false,"username":"domain\\user","processname":"C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe","circumstances":"Event occurred during an attempt to access the web.","hash":"FFA6536B4D82E259FBB97E2CD868B9923F5976A6"} Link to comment Share on other sites More sharing options...
Administrators Marcos 4,920 Posted June 25, 2019 Administrators Share Posted June 25, 2019 11 minutes ago, RogerVilca said: I found this log from out SIEM that collect events from our antimalware: <12>1 2019-06-25T15:19:28.509Z ldsantv ERAServer 1708 - - {"event_type":"Threat_Event","ipv4":"xx.xx.xx.xx","hostname":"hostname.domain","source_uuid":"70bd887a-8e34-4b1b-b7ac-8b1100ea7aa5","occured":"25-Jun-2019 15:17:51","severity":"Warning","threat_type":"trojan","threat_name":"JS/Agent.OCJ","scanner_id":"Script scanner","scan_id":"virlog.dat","engine_version":"19582 (20190625)","object_type":"file","object_uri":"https://s3.amazonaws.com/assets-manager-dig/output/assets/js/prebid.js","action_taken":"blocked","threat_handled":true,"need_restart":false,"username":"domain\\user","processname":"C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe","circumstances":"Event occurred during an attempt to access the web.","hash":"FFA6536B4D82E259FBB97E2CD868B9923F5976A6"} The detection is correct. Also some other AVs detect the malicious script: Link to comment Share on other sites More sharing options...
Recommended Posts