Jump to content

JS/Spy.Banker.IV trojan

enceladus
 Share
Go to solution Solved by Marcos,

Recommended Posts

enceladus

enceladus 0

Posted
Posted

Hi,  I was attempting to purchase some products from nocturna models, which i have used in the past without issue, however when i click on the cart I get a message saying 'Threat Found JS/Spy.Banker.IV Trojan.... access block etc'.

I've contacted them and they are saying  that it might be a false pos.

https://nocturnamodels.com/en/pedido

If the cart is empty it will load but as soon as you put an item in and go to checkout the warning comes up.

 

Do you think this is a false pos. or not?

I've done a full scan of my system with Eset & malwarebytes and nothing has shown up.

 

Thanks

Untitled.png

Link to comment
Share on other sites
itman

itman 1,659

Posted
Posted (edited)
1 hour ago, rotaru said:

Nothing on VT  but detected on my test machine with Kaspersky as "HEUR:Trojan-PSW.Script.Generic"

It's magecart malware. It won't manifest until;

Quote

If the cart is empty it will load but as soon as you put an item in and go to checkout the warning comes up.

Additional ref.: https://www.imperva.com/learn/application-security/magecart/

Based on this: https://encyclopedia.kaspersky.com/knowledge/trojan-psw/ , it appears Kaspersky doesn't detect the malicious magecart .js script but, its assumed subsequent activities.

Edited by itman
Link to comment
Share on other sites
itman

itman 1,659

Posted
Posted (edited)
3 hours ago, rotaru said:

in theory , is superior to definition based detection.

Eset like Kaspersky and most other modern AV products use both signature and heuristic analysis detection methods.

A full signature detection of malware is superior to heuristic detection since it is a 100% confident identification method. Heuristic analysis has both advantages and disadvantages as listed below;

Quote

Advantages

Heuristic analysis can detect more than just modified forms of current malicious programs. It can also detect previously unknown malicious programs. This is because it analyses the behavior of a potential threat instead of its file name.

This method of analysis also reduces the number of false positives because some behaviors are very specific to malware, and heuristic analysis can identify them, pinpointing the threat. For example, if a program tries to delete files that are needed by the operating system, it is most likely malicious. Heuristic analysis can detect this kind of behavior and flag the threat so it can be removed.

On the other hand, by merely examining the signature of a program and comparing it to those of known threats, the threat may slip away unnoticed, simply because it does not match a known threat. This is often the case when dealing with a zero-day or previously unknown threat. Heuristic analysis can flag the threat based on what it does, regardless of whether it has already been logged in a threat management system.

Disadvantages

Heuristic analysis is designed to detect known threat behavior. If the threat does not perform any action the threat detection technology has been programmed to recognize, it can slip under the radar.

To illustrate, suppose your antivirus software has been engineered to flag a program that tries to delete files your operating system needs but not files that decrypt themselves. In this case, if it comes across a self-decrypting file, it may not notice that it is a threat—even though this action is typical of threats.

There is also a chance that the antivirus/anti-malware software uses heuristic scanning based on a range of behavior that is too broad. In this heuristic analysis example, the process can result in mislabeling innocent files as threats. However, this is more common in older heuristic analysis programs, so if you have a newer one and it has been recently updated, chances are it uses modern techniques, which limit the number of false positives.

https://www.fortinet.com/resources/cyberglossary/heuristic-analysis 

Per the above posted Kaspersky heuristic analysis detection screen shot, confidence was rated high. Why? Because one of their malware analysts reviewed the detection and deemed it malicious. Assumed is Kaspersky is currently in-process for developing a signature for this malware.

Malware backdoor's are an example where heuristic analysis often fails since it their simplest form, these backdoors appear to be benign reverse shells.

Edited by itman
Link to comment
Share on other sites
rotaru

rotaru 10

Posted
Posted (edited)
1 hour ago, itman said:

Why? Because one of their malware analysts reviewed the detection

I do not think this is a true statement; see here 2 detections of the same item 6 days apart with the same message ("expert analysis") , yet no signature detection. See same MD5, same reason, but still HEUR. 

"Expert analysis" probably refers to a process rather than an analyst

 

heur.jpg.6cfdea10151f836839388796b15ed5e4.jpg

 

Kaspersky has an exceptionally good heuristic detection and most likely will not create signature or review detctions unless somebody would complain about FP

Edited by rotaru
Link to comment
Share on other sites
itman

itman 1,659

Posted
Posted (edited)
2 hours ago, rotaru said:

I do not think this is a true statement; see here 2 detections of the same item 6 days apart with the same message ("expert analysis") , yet no signature detection. See same MD5, same reason, but still HEUR. 

Upon further reflection, appears Kaspersky is detecting these via signature; behavior signature that is. Most likely via YARA rules. I still believe these rules were manually created by K personnel.

Edited by itman
Link to comment
Share on other sites
rotaru

rotaru 10

Posted
Posted
48 minutes ago, itman said:

is detecting these via signature; behavior signature ....via YARA rules

At this moment , you are on uncharted territory and pure speculate....

The detections says "HEUR something", Precision "Partially".... nothing suggests a signature based detection or a human intervention classifying this as threat

Link to comment
Share on other sites
itman

itman 1,659

Posted
Posted (edited)
19 hours ago, rotaru said:

At this moment , you are on uncharted territory and pure speculate....

Kaspersky's hueistic detections are here: https://encyclopedia.kaspersky.com/knowledge/heuristic-and-proactive-detections/ ;

Quote

The Kaspersky Lab antivirus databases contain an enormous number of heuristics

In other words, heuristic detection's are rule based. Rules can only be created one way and that is manually.

Note that Kaspersky's detection's via its proactive protection is also covered in the linked article. These detection's are given when suspicious malicious behavior is detected for which no heuristic rule exists.

The important point to note is Kaspersky's heuristic detection processing works in the same way as Eset's like heuristic detection does.

Edited by itman
Link to comment
Share on other sites
SeriousHoax

SeriousHoax 83

Posted
Posted

Anyway, it's good to see that products like ESET, Kaspersky, Bitdefender are able to block this attack. I think for all of them it's a previously created detection that worked here also. I tested Bitdefender in a VM on this site and it indeed detects it.

I also tested Avast and Norton, but they aren't able to detect it. Norton has IPS and their browser extension but no HTTPS scanning. So they probably have to find a solution for this via their extension. Detecting threats like this is one of the advantages of HTTPS scanning. Avast would just need to create a signature to detect as they have it. ESET in my experience is one of the best if not the best at detecting these malicious/suspicious javascripts injected on websites. 

Link to comment
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...