Most Valued Members cyberhash 188 Posted March 5, 2021 Most Valued Members Share Posted March 5, 2021 Hi all, I just submitted what i believed to be a false positive with a website to ESET, and i got a reply saying that they could not replicate the issue and i am wondering if this is something that's unique to the current BETA release as i have not manually edited any settings that could explain this happening. Could one of you kind people please try and access this website for me and let me know if you receive the same alert (JS.Redirector.NFC Trojan) when you click on one of the lenses from the list there (like the video). Happens on any browser i have installed also. hxxps://www.sigma-imaging-uk.com/lenses/ Link to comment Share on other sites More sharing options...
Administrators Marcos 5,069 Posted March 5, 2021 Administrators Share Posted March 5, 2021 I'm not getting any alert on the said web page. There can be many reasons for that, e.g. a different region, infected machine, compromised router, etc. You can provide ELC logs with also quarantined files collected for verification of the detection. cyberhash 1 Link to comment Share on other sites More sharing options...
Most Valued Members cyberhash 188 Posted March 5, 2021 Author Most Valued Members Share Posted March 5, 2021 17 minutes ago, Marcos said: I'm not getting any alert on the said web page. There can be many reasons for that, e.g. a different region, infected machine, compromised router, etc. You can provide ELC logs with also quarantined files collected for verification of the detection. Thanks for checking that for me @Marcos. I don't believe that my machine is infected as this is the only page where i encounter the issue. I have browsed the same page before without a problem, but i recently changed ISP and the router was changed when i made the switch in January. I will attach the logs and quarantines files back to ESET for a look at, but have a sneaking suspicion that this is going to turn out to be something relating to my ISP if nobody else can replicate the issue. Thanks again Link to comment Share on other sites More sharing options...
itman 1,659 Posted March 5, 2021 Share Posted March 5, 2021 (edited) 3 hours ago, cyberhash said: hxxps://www.sigma-imaging-uk.com/lenses/ I duplicated the Eset detection when I selected the same lens you did. Appears to be malicious re-direct activity: -EDIT- Of note is no one at VT is detecting the hash, DDD0318AB432F659AFB556A62B98BF950A3E7512, Eset shows in the Detection log entry. Edited March 5, 2021 by itman Link to comment Share on other sites More sharing options...
Most Valued Members shocked 60 Posted March 5, 2021 Most Valued Members Share Posted March 5, 2021 i replicated it as well. selecting whatever lens at the bottom of the page provided in the OP, results in eset blocking it. Link to comment Share on other sites More sharing options...
Most Valued Members cyberhash 188 Posted March 6, 2021 Author Most Valued Members Share Posted March 6, 2021 Thanks @itman and @shocked, for checking and replying. I am going to proceed and send some more requested information back and see what comes of it. Bit of a strange one this 😏 Link to comment Share on other sites More sharing options...
itman 1,659 Posted March 6, 2021 Share Posted March 6, 2021 I just accessed the web site again. Eset is still showing the same threat detection. Using the URL from the Eset detection log entry, I submitted it to VT for a scan. Since Quttera is detecting it, I would say the web site is hacked. You might want to inform the web site owner of this status: Link to comment Share on other sites More sharing options...
Administrators Marcos 5,069 Posted March 6, 2021 Administrators Share Posted March 6, 2021 I confirm there is an obfuscated JS on the website which is what ESET detected and blocked: Link to comment Share on other sites More sharing options...
Most Valued Members cyberhash 188 Posted March 6, 2021 Author Most Valued Members Share Posted March 6, 2021 Be nice to see how this progresses and if indeed the code is bad. I had used VT myself before submitting it as a false positive as generally the more and more time passes, then the score on there swings up or down. If any of the other major vendors had it listed on VT as being bad i would not have questioned it and never sent a FP report in. According to VT, ESET still does not see this as being bad as of 23:36 GMT on 06/03 and there are less detecting it now. I can understand that VT will have some type of delay before it gets proper readings on the detections, but i did leave it for a week before i reported it as being a possible FP and monitored the detection rate of other vendors. Regardless of the outcome and the slight confusion on the VT matter, i would rather be using a product that erred on the side of caution when it encountered this type of thing and blocked it. ESET has done exactly what it was asked of in my opinion. Blocked my access until it can be properly looked at. Link to comment Share on other sites More sharing options...
Administrators Marcos 5,069 Posted March 7, 2021 Administrators Share Posted March 7, 2021 It's a web threat and as such may not be detected by ESET at VT. We use various mechanisms to detect and block malware. By the way, ESET's detection is from Oct 23, 2020. Link to comment Share on other sites More sharing options...
itman 1,659 Posted March 7, 2021 Share Posted March 7, 2021 (edited) I will also add that Quttera unlike many URL scanners that use blacklists, actually downloads everything hosted by a web site. It will often find hidden malware on a web site that none of these other scanners show. The fact that Quttera continues to show the site as malicious on VT is further confirmation of Eset's detection. Here's Quttera's detailed analysis: https://quttera.com/detailed_report/www.sigma-imaging-uk.com which found 11 malware instances on the web site. All the same JavaScript code Eset detected: My suspicion is the site has infected Wordpress plug-in:. Edited March 7, 2021 by itman Link to comment Share on other sites More sharing options...
Recommended Posts