franck 0 Posted April 4 Share Posted April 4 Hello, a customer informs me that his Eset antivirus detects the js/spy.banker virus on this page: https://www.domainedestrottieres.com/commande could you help me because only eset finds this virus. THANKS Quote Link to comment Share on other sites More sharing options...
Administrators Marcos 4,694 Posted April 4 Administrators Share Posted April 4 The detection is correct, the website is infected with the detected malicious JS: Quote Link to comment Share on other sites More sharing options...
itman 1,538 Posted April 4 Share Posted April 4 Also Eset is detecting the malicious script on the web site page where actual product ordering is performed; i.e payment method details are entered. Quote Link to comment Share on other sites More sharing options...
Administrators Marcos 4,694 Posted April 4 Administrators Share Posted April 4 Also ESET is not the only AV to detect the threat: el el amiril 1 Quote Link to comment Share on other sites More sharing options...
rotaru 10 Posted April 5 Share Posted April 5 This: https://www.domainedestrottieres.com/commande generates ZERO detections on VT Quote Link to comment Share on other sites More sharing options...
Administrators Marcos 4,694 Posted April 5 Administrators Share Posted April 5 4 hours ago, rotaru said: This: domainedestrottieres.com generates ZERO detections on VT Not detections but url blacklists. Since it's a legitimate site that was infected with malware, we are not going to blacklist it completely. Blacklisting whole sites make sense especially when they are created for malicious purposes. Quote Link to comment Share on other sites More sharing options...
franck 0 Posted April 5 Author Share Posted April 5 Hello, thank you for your feedback. but I still don't understand, I have the same results as rotaru on VT. is there something or not? Why does Marcos get a positive? thanks again Quote Link to comment Share on other sites More sharing options...
franck 0 Posted April 5 Author Share Posted April 5 one more question, what is the infected js file? Quote Link to comment Share on other sites More sharing options...
Administrators Marcos 4,694 Posted April 5 Administrators Share Posted April 5 1 minute ago, franck said: thank you for your feedback. but I still don't understand, I have the same results as rotaru on VT. is there something or not? Why does Marcos get a positive? That's because you did a check if the website url is blacklisted by AVs while I scanned the file that contained the malicious JS. So it's like comparing apples with oranges, blacklisted urls and html files with malware are two different things. Quote Link to comment Share on other sites More sharing options...
Administrators Marcos 4,694 Posted April 5 Administrators Share Posted April 5 4 minutes ago, franck said: one more question, what is the infected js file? The url where the malware was detected can be found in the Detections logs. In this case it was https://www.domainedestrottieres.com/commande Quote Link to comment Share on other sites More sharing options...
rotaru 10 Posted April 5 Share Posted April 5 1 hour ago, Marcos said: while I scanned the file So, I want to reproduce the detection. What exactly did you download??? This is a site where you can place orders for vines, I couldn't "download" anything. Quote Link to comment Share on other sites More sharing options...
rotaru 10 Posted April 5 Share Posted April 5 Checked the website with Quttera , which downloaded 99 files, analized for 5 minutes and this is the result: Quote Link to comment Share on other sites More sharing options...
Administrators Marcos 4,694 Posted April 5 Administrators Share Posted April 5 Yes, they don't detect 100% of malware like no security solution does. Quote Link to comment Share on other sites More sharing options...
itman 1,538 Posted April 5 Share Posted April 5 (edited) 9 hours ago, rotaru said: Checked the website with Quttera , which downloaded 99 files, analized for 5 minutes and this is the result: Go here: https://www.domainedestrottieres.com/blancs-cremants/9-anjou-chenin-clair-de-lune-75-cl.html Mouse click on the shopping cart tab located in Visa/Mastercard area of the web page. On the next web page displayed, mouse click on the "Commander" button: Appears the malware is one of the card credential data stealing variants. Edited April 5 by itman Quote Link to comment Share on other sites More sharing options...
itman 1,538 Posted April 5 Share Posted April 5 In regards to this specific web site, it is using outdated php software as noted in this Sucuri analysis: https://sitecheck.sucuri.net/results/https/www.domainedestrottieres.com/commande . This means that even if the JavaScript malware is removed, they will probably be exploited again with it. Quote Link to comment Share on other sites More sharing options...
rotaru 10 Posted April 5 Share Posted April 5 33 minutes ago, itman said: In regards to this specific web site, it is using outdated php software as noted in this Sucuri analysis: https://sitecheck.sucuri.net/results/https/www.domainedestrottieres.com/commande . This means that even if the JavaScript malware is removed, they will probably be exploited again with it. May be "outdated" but it is not determined to be malicious or blacklisted: Quote Link to comment Share on other sites More sharing options...
itman 1,538 Posted April 5 Share Posted April 5 (edited) One other thing about the JavaScript malware. It's polymorphic. I have 5 Eset log entries for it and each has a different hash value. An additional reason why the online web site scanners can't detect it. Edited April 5 by itman Quote Link to comment Share on other sites More sharing options...
itman 1,538 Posted April 5 Share Posted April 5 31 minutes ago, rotaru said: May be "outdated" but it is not determined to be malicious or blacklisted: Refer to this prior posting: https://forum.eset.com/topic/35944-sspybankeriv-false-positive-or-true/?do=findComment&comment=164956 . Note the VT embedded-js reference. Next, open the Sucuri analysis again and refer to the JavaScript's that exist. Bottom line is the script is hidden and the online web scanners didn't know it existed. Quote Link to comment Share on other sites More sharing options...
rotaru 10 Posted April 5 Share Posted April 5 14 minutes ago, itman said: I have 5 Eset log entries for it and each has a different hash value. An additional reason why the online web site scanners can't detect it. Hello Itman, Thank you for your patience! ESET is famous for "exotic" detections. I, as a regular user , I did everything possible to replicate a detection checked the website on VT checked the website with Quttera I replicated the steps indicated on your post with 3 different AVs Yet , I did not get any detection; the fact that you have "5 Eset log entries for it and each has a different hash value" is not encouraging, on the contrary , demonstrates inconsistency rather than detection. I am confused! Quote Link to comment Share on other sites More sharing options...
itman 1,538 Posted April 5 Share Posted April 5 (edited) 1 hour ago, rotaru said: Yet , I did not get any detection; the fact that you have "5 Eset log entries for it and each has a different hash value" is not encouraging, on the contrary , demonstrates inconsistency rather than detection. First, I advise you read up on Eset's protection mechanisms here: https://www.eset.com/fileadmin/ESET/US/docs/about/ESET-Technology-Whitepaper.pdf . The one I will reference here is DNA detections. A favorite trick among malware creators is to slightly modify their scripts, and binaries also, to try to avoid AV's static signature detection. Eset's DNA detection employs "smart" signatures that record malware code and behavior "snippets" which are portions of a malicious script or binary. This allows Eset to detect modified malware variants; also known as polymorphic malware. Also in this regard, Eset has one of the best "smart" signatures among all security products. As far as this web site goes, it appears the web server is compromised. This allows the attacker to "serve up" a modified script each time the "Order" button is selected. Edited April 5 by itman Quote Link to comment Share on other sites More sharing options...
rotaru 10 Posted April 6 Share Posted April 6 1 hour ago, itman said: Eset has one of the best "smart" signatures That could be, however for a regular user who would show do diligence and check the "detection" on multiple sites only to get ZERO results , this is confusing. On top of that , ESET detection says "This website may contain dangerous..." So, is may . Which can be may not. So , when you check it in 6-7 places and the result is ZERO , sure may not seems the real choice. But enough talking, sure ESET is doing a fine job. But not for me. Quote Link to comment Share on other sites More sharing options...
itman 1,538 Posted April 6 Share Posted April 6 (edited) 13 hours ago, rotaru said: That could be, however for a regular user who would show do diligence and check the "detection" on multiple sites only to get ZERO results , this is confusing. The on-line web site scanners also reference VT results and factor those into their final determination result. None of the hashes for the 5 variants of this script in my Eset Detection log are known to VT. One other very important point. These scanners only scan via HTTP connection; not via HTTPS. This web site connection where the malware exists only can be accessed via HTTPS. As far as other AV solutions being able to detect this malware, some can. Refer to @Marcos prior posting here: https://forum.eset.com/topic/35944-sspybankeriv-false-positive-or-true/?do=findComment&comment=164956 Edited April 6 by itman Quote Link to comment Share on other sites More sharing options...
el el amiril 0 Posted April 7 Share Posted April 7 weird my eset did not block the website?? Quote Link to comment Share on other sites More sharing options...
el el amiril 0 Posted April 7 Share Posted April 7 is it ok there was no blocking? Quote Link to comment Share on other sites More sharing options...
Administrators Marcos 4,694 Posted April 7 Administrators Share Posted April 7 I strongly discourage you from opening websites on physical machines that another person reports as possibly infected. And yes, the detection occurs under specific conditions. el el amiril 1 Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.