Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[danddwah]

Whilst clicking just now on Polar Bear Clicks Deb has come across a fusionmails/pages/ptp.php ad which avast has identified as containing the JS:lllredir-L [Trj] Trojan Horse from http:// www .killer-six-pack-abs .com

It appears to be in the ptp rotator, not a 3rd party ad.
Dave

[Craig]

Thanks for the heads up 

[anyyan]

I've noticed it in abuse report center. But i use Karspersky and it doesn't detect anything. Anyone else? More input would be appreciated.

[tulp]

I just got this page in rotation ... Fusionmails upgraded PTP page ...

File name: http://www. killer- six- pack- abs.com/
Malware-name: JS:Illredir-L [Trj]
Malware-type: Trojan Horse
VPS version: 100214-0, 14-02-2010

it alarmed my Avast ...

[tulp]

There are more websites infected by this Trojan family ... it are all ill redirects in JavaScript that makes it very easy for hackers to put their own code on the website.

12.2.2010 - 100212-0

JS:Downloader-LT [Trj], JS:Illredir-L [Trj], JS:MalHead-CX [Trj], PHP:Redirector-Q [Trj], Win32:Agent-AJDH [Trj], Win32:Agent-AJDI [Trj], Win32:Agent-AJDJ [Trj], Win32:AutoRun-BFH [Trj], Win32:Bancos-BLH [Trj], Win32:Banker-GLP [Trj],

it is added to the Avast Database the 12th of this month.

[wagdoll]

Edited

[tulp]

I found an informative blog written by a website builder... that had the older version of this Trojan on the websites she built. (-B version) http://www.zyenweb.com/2009/12/30/trojan-attack-jsillredir-b-trj/

[wagdoll]

Edited

[tulp]

I found an informative blog written by a website builder... that had the older version of this Trojan on the websites she built. (-B version) http://www.zyenweb.com/2009/12/30/trojan-attack-jsillredir-b-trj/

The code she's showed on there is very similar or identical to what was on the killer abs site under the closing tag. It's important to look for things like that even if your particular AV doesn't give any alert.

I would go so far as to say it's rarely a good idea for any site to accept a page that contains any obfuscated or encrypted javascripts because 1) you don't know what they're hiding; 2) they are likely to be used to cover up malicious codes, whether that is autosearches or trojans.  One of the injection trojans a few months ago even masqueraded as a yahoo tracking code just because that was an easy way to slip the obfuscated code right past the website owner's eyes  - the lesson there I feel is to be suspicious of anything that you can't see what it's doing, be it an iframe or an obfuscated javascript.

As it is a trojan... it can even be that the code wasn't there when a PO accepted the page... if another web site hosted on the same server had the code, it can infect all other websites on that server!

In an ideal world ... a PO should, when a trojan like this is reported... immediately take action and stop the advertising! Then inform the hosting company ... and that hosting company should inform all other website owners hosted on the same server to check their websites and give them instructions how to remove this code if it is on their website too....

In real world ... it takes a real long time before action is taken ... giving the trojan opportunity to spread itself further and further ... Hosting companies don't have a clue ... and even if they have they are afraid to be blamed!

[soph142]

On my browser
I have both
Enable Java Script
and
Enable Java
allowed
From memory, I only need 1 ticked (don't use Java at all)
So I am going to disable
Enable Java
Is this the right thing to do?

soph 

[tulp]

I think you mean that you don't need Javascript... but with disabling that you cannot see turing numbers, fill in lots of forms and many more things... so that is not the solution... So most programs where you are a member will need Javascript enabled on your computer... Next to that Javascript is used for a lot of ads on the sites.... so without Javascript PO's won't earn money and that is what they need in order to be able to pay you.

[wagdoll]

Edited

[tulp]

If you use CCleaner after every surf session ... it will remove all temporary files of Java ... that is where all Java viruses (if not detected by an updated virusscanner) will be stored.

With Firefox ... the addon NoScript is needed for save surfing ... you can then choose what site is allowed to use JavaScript and/or Java 

[iamannoyed]

was just coming to report this....a day late and a dollar short.  oh well

[tulp]

I've noticed it in abuse report center. But i use Karspersky and it doesn't detect anything. Anyone else? More input would be appreciated.

Wow...it is 18th already.... And this page is still around??? What input does Anyyan need? ...