Jump to content

Archived

This topic is now archived and is closed to further replies.

RogerVilca

Malware JS/Agent.OCJ

Recommended Posts

Hi,

Our ESET Endpoint Security is detecting repeatedly the malware JS/Agent.OCJ when the users are accesing the several digital news (several urls) 

I've watched in virusradar and apparently this malware is new.

A couple of questions:

¿ This name is standard between diferent antimalware products ? I wonder why this malware is not reported by another products like McAfee or Karpersky (I  searched in the web with no result)

¿ Is this a false alert ?

 

Thanks in advance

Roger

 

Share this post


Link to post
Share on other sites

The detection is correct. Each vendor uses its own name for threats but sometimes it may be same.

image.png

And why it is not reported by other vendors? Because they  do not have the same engine / detection database. Some are better at detecting certain malware, some are worse.

Share this post


Link to post
Share on other sites

If you click on the Eset Virusradar prevalence map, this malware is very much localized to Peru. This is one possible explanation for lack of detection by the other AV vendors listed at VirusTotal. The malware signature just hasn't been uploaded to the malware feed sources these other AV's use. Or since the malware is localized and incident occurances might be low, the other AV vendors consider its malware detection of low significance.

Also this malware appears to be web site Javascript based. If the other AV solutions do not employ active browser based Javascript web filtering such as Eset does, it would be another explanation for lack of detection.

Share this post


Link to post
Share on other sites

What's the best way to detect this particular malware - JS/Agent.OCJ ? I had a site visitor point out to me that my site has this. Sounds like it is in a javascript, maybe from one of my Wordpress plug-ins?

Share this post


Link to post
Share on other sites

Hard to say. I see that it's injected mainly in js files. If you are not an ESET user, I'd strongly recommend downloading ESET Internet Security, installing it and activating a 30-day trial version. As you will browse your website, ESET will block and notify you when you encounter a malicious url. ESET uses a very strong detection of malicious scripts, hence it's often the only popular AV to detect and block malicious scripts which makes people think we must be reporting false positives but in fact they have their website compromised and infected.

Share this post


Link to post
Share on other sites

Do you have any info about cleaning it from my website?

Share this post


Link to post
Share on other sites

HI Marcos - Thanks for the info. We always keep everything up to date. And my host provider checked from his end and couldn't find anything or reproduce it. It's either real tricky, or perhaps the visitor's browser had already been infected. Thanks much, Gary

Share this post


Link to post
Share on other sites
5 hours ago, chops said:

And my host provider checked from his end and couldn't find anything or reproduce it.

Please provide the url but obfuscate the scheme (http or https) by using hxxp or hxxps instead so that it's not converted to a clickable link.

Share this post


Link to post
Share on other sites

Thank you. My site is hxxps://chops.com

Share this post


Link to post
Share on other sites
1 hour ago, chops said:

My site is hxxps://chops.com

I am not getting any Eset alerts for this web site using Firefox. I am however using uBlock Origin and it is blocking at least 7 things on your web site. This leads me to believe the issue might the ads, trackers, etc. being displayed/used on the site.

-EDIT-

Primary suspect is getclicky.com.

Other suspects are metrics.api.drift.com and event.api.drift.com.

And it goes w/o saying that google-analytics is being used.

Share this post


Link to post
Share on other sites

Hi Itman -

The alert was for JS/Agent.OCJ, coming from a user. I have just started using Drift this week. What questions should I ask Drift - like are you responsible for malware? They seem like  nice people! I am using Clicky - getclicky.com - for about three years now and haven't received any heads-up prior to this from anyone.

How do I reproduce your test? We don't run any ads, just Drift to help people start conversations, Click and GA for tracking, Autopilot for Marketing Automation. And as I said, we just started with Drift, after closing our long-running account with SnapEngage.

Share this post


Link to post
Share on other sites
1 hour ago, chops said:

The alert was for JS/Agent.OCJ, coming from a user. I

I disabled uBlock for your site and FireFox itself blocked getclicky.com. So my money is still on that as the source.

Find out what browse/app the person was using when he received the Eset alert.

Also, Eset might be throwing this detection in response to this issue: https://www.bleepingcomputer.com/news/security/windows-10-apps-hit-by-malicious-ads-that-blockers-wont-stop/

Share this post


Link to post
Share on other sites

I'm not getting any alert on the said website either. Please post the appropriate record with the full url from the Detection log.

Share this post


Link to post
Share on other sites
17 hours ago, chops said:

The alert was for JS/Agent.OCJ, coming from a user

My best guess at this point is the issue is on the user's end. Ask if he/she is from Peru. This Eset detection has so far been largely related to connections originating from that country.

Very possible is the user has DNS hijack issues, whatever. They try to connect to your site but are being redirected to a site containing Javascript that Eset detects as JS/Agent.OCJ.

As @Marcos just replied, we need a screen shot from the user's Eset Filtered Websites log that shows the URL/IP address associated with the alert.

Share this post


Link to post
Share on other sites

Hi,

I found this log from out SIEM that collect events from our antimalware:

<12>1 2019-06-25T15:19:28.509Z ldsantv ERAServer 1708 - - {"event_type":"Threat_Event","ipv4":"xx.xx.xx.xx","hostname":"hostname.domain","source_uuid":"70bd887a-8e34-4b1b-b7ac-8b1100ea7aa5","occured":"25-Jun-2019 15:17:51","severity":"Warning","threat_type":"trojan","threat_name":"JS/Agent.OCJ","scanner_id":"Script scanner","scan_id":"virlog.dat","engine_version":"19582 (20190625)","object_type":"file","object_uri":"https://s3.amazonaws.com/assets-manager-dig/output/assets/js/prebid.js","action_taken":"blocked","threat_handled":true,"need_restart":false,"username":"domain\\user","processname":"C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe","circumstances":"Event occurred during an attempt to access the web.","hash":"FFA6536B4D82E259FBB97E2CD868B9923F5976A6"}

 


 

Share this post


Link to post
Share on other sites
11 minutes ago, RogerVilca said:

I found this log from out SIEM that collect events from our antimalware:

<12>1 2019-06-25T15:19:28.509Z ldsantv ERAServer 1708 - - {"event_type":"Threat_Event","ipv4":"xx.xx.xx.xx","hostname":"hostname.domain","source_uuid":"70bd887a-8e34-4b1b-b7ac-8b1100ea7aa5","occured":"25-Jun-2019 15:17:51","severity":"Warning","threat_type":"trojan","threat_name":"JS/Agent.OCJ","scanner_id":"Script scanner","scan_id":"virlog.dat","engine_version":"19582 (20190625)","object_type":"file","object_uri":"https://s3.amazonaws.com/assets-manager-dig/output/assets/js/prebid.js","action_taken":"blocked","threat_handled":true,"need_restart":false,"username":"domain\\user","processname":"C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe","circumstances":"Event occurred during an attempt to access the web.","hash":"FFA6536B4D82E259FBB97E2CD868B9923F5976A6"}

The detection is correct. Also some other AVs detect the malicious script:

image.png

Share this post


Link to post
Share on other sites

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...