s/spy.banker.iv false positive or true ?

[franck 0]

Hello, a customer informs me that his Eset antivirus detects the js/spy.banker virus on this page: https://www.domainedestrottieres.com/commande could you help me because only eset finds this virus. THANKS

[Marcos 4,694]

The detection is correct, the website is infected with the detected malicious JS:

[itman 1,538]

Also Eset is detecting the malicious script on the web site page where actual product ordering is performed; i.e payment method details are entered.

[Marcos 4,694]

Also ESET is not the only AV to detect the threat:

[rotaru 10]

 

This:

https://www.domainedestrottieres.com/commande

 

generates ZERO detections on VT

 

[Marcos 4,694]

4 hours ago, rotaru said:

This:

domainedestrottieres.com

generates ZERO detections on VT

Not detections but url blacklists. Since it's a legitimate site that was infected with malware, we are not going to blacklist it completely. Blacklisting whole sites make sense especially when they are created for malicious purposes.

[franck 0]

Hello,

thank you for your feedback. but I still don't understand, I have the same results as rotaru on VT. is there something or not? Why does Marcos get a positive?

thanks again

[franck 0]

one more question, what is the infected js file?

[Marcos 4,694]

1 minute ago, franck said:

thank you for your feedback. but I still don't understand, I have the same results as rotaru on VT. is there something or not? Why does Marcos get a positive?

That's because you did a check if the website url is blacklisted by AVs while I scanned the file that contained the malicious JS. So it's like comparing apples with oranges, blacklisted urls and html files with malware are two different things.

[Marcos 4,694]

4 minutes ago, franck said:

one more question, what is the infected js file?

The url where the malware was detected can be found in the Detections logs. In this case it was

https://www.domainedestrottieres.com/commande

 

[rotaru 10]

1 hour ago, Marcos said:

while I scanned the file

So, I want to reproduce the detection.

 

What exactly did you download??? This is a site where you can place orders for vines, I couldn't "download" anything.

[rotaru 10]

Checked the website with Quttera  , which downloaded 99 files, analized for 5 minutes and this is the result:

[Marcos 4,694]

Yes, they don't detect 100% of malware like no security solution does.

[itman 1,538]

9 hours ago, rotaru said:

Checked the website with Quttera  , which downloaded 99 files, analized for 5 minutes and this is the result:

Go here: https://www.domainedestrottieres.com/blancs-cremants/9-anjou-chenin-clair-de-lune-75-cl.html

Mouse click on the shopping cart tab located in Visa/Mastercard area of the web page.

On the next web page displayed, mouse click on the "Commander" button:

Appears the malware is one of the card credential data stealing variants.

 

Edited April 5 by itman

[itman 1,538]

In regards to this specific web site, it is using outdated php software as noted in this Sucuri analysis: https://sitecheck.sucuri.net/results/https/www.domainedestrottieres.com/commande . This means that even if the JavaScript malware is removed, they will probably be exploited again with it.

[rotaru 10]

33 minutes ago, itman said:

In regards to this specific web site, it is using outdated php software as noted in this Sucuri analysis: https://sitecheck.sucuri.net/results/https/www.domainedestrottieres.com/commande . This means that even if the JavaScript malware is removed, they will probably be exploited again with it.

May be "outdated" but it is not determined to be malicious or blacklisted:

 

[itman 1,538]

One other thing about the JavaScript malware. It's polymorphic. I have 5 Eset log entries for it and each has a different hash value. An additional reason why the online web site scanners can't detect it.

Edited April 5 by itman

[itman 1,538]

31 minutes ago, rotaru said:

May be "outdated" but it is not determined to be malicious or blacklisted:

Refer to this prior posting: https://forum.eset.com/topic/35944-sspybankeriv-false-positive-or-true/?do=findComment&comment=164956 . Note the VT embedded-js reference. Next, open the Sucuri analysis again and refer to the JavaScript's that exist.

Bottom line is the script is hidden and the online web scanners didn't know it existed.

 

[rotaru 10]

14 minutes ago, itman said:

I have 5 Eset log entries for it and each has a different hash value. An additional reason why the online web site scanners can't detect it.

Hello Itman,

Thank you for your patience!

ESET is famous for "exotic" detections. I, as a regular user , I did everything possible to replicate a detection

• checked the website on VT
• checked the website with Quttera
• I replicated the steps indicated on your post with 3 different AVs

Yet , I did not get any detection; the fact that you have  "5 Eset log entries for it and each has a different hash value" is not encouraging, on the contrary , demonstrates inconsistency rather than detection.

I am confused!

 

[itman 1,538]

1 hour ago, rotaru said:

Yet , I did not get any detection; the fact that you have  "5 Eset log entries for it and each has a different hash value" is not encouraging, on the contrary , demonstrates inconsistency rather than detection.

First, I advise you read up on Eset's protection mechanisms here: https://www.eset.com/fileadmin/ESET/US/docs/about/ESET-Technology-Whitepaper.pdf . The one I will reference here is DNA detections.

A favorite trick among malware creators is to slightly modify their scripts, and binaries also, to try to avoid AV's static signature detection. Eset's DNA detection employs "smart" signatures that record malware code and behavior "snippets" which are portions of a malicious script or binary. This allows Eset to detect modified malware variants; also known as polymorphic malware. Also in this regard, Eset has one of the best "smart" signatures among all security products.

As far as this web site goes, it appears the web server is compromised. This allows the attacker to "serve up" a modified script each time the "Order" button is selected. 

Edited April 5 by itman

[rotaru 10]

1 hour ago, itman said:

Eset has one of the best "smart" signatures

That could be, however for a regular user who would show do diligence and check the "detection" on multiple sites only to get ZERO results , this is confusing.

 

On top of that , ESET detection says "This website may contain dangerous..."

So, is may . Which can be may not. So , when you check it in 6-7 places and the result is ZERO , sure may not seems the real choice.

But enough talking, sure ESET is doing a fine job.

But not for me.

[itman 1,538]

13 hours ago, rotaru said:

That could be, however for a regular user who would show do diligence and check the "detection" on multiple sites only to get ZERO results , this is confusing.

The on-line web site scanners also reference VT results and factor those into their final determination result. None of the hashes for the 5 variants of this script in my Eset Detection log are known to VT. One other very important point. These scanners only scan via HTTP connection; not via HTTPS. This web site connection where the malware exists only can be accessed via HTTPS.

As far as other AV solutions being able to detect this malware, some can. Refer to @Marcos prior posting here: https://forum.eset.com/topic/35944-sspybankeriv-false-positive-or-true/?do=findComment&comment=164956

Edited April 6 by itman

[el el amiril 0]

weird my eset did not block the website??

[el el amiril 0]

is it ok there was no blocking?

 

[Marcos 4,694]

I strongly discourage you from opening websites on physical machines that another person reports as possibly infected. And yes, the detection occurs under specific conditions.