Virus question

The constant threat: viruses, trojans, spyware, ... the list goes on

Virus question

Post by ElectroPlasma on Tue Dec 28, 2010 6:30 pm
([msg=51276]see Virus question[/msg])

Hey. I could tell you the whole boring story, but that would be, well, boring, so I'll just ask what I need to know: Are viruses always encoded in the JavaScript of a site? Because we have the JavaScript of a certain site (possibly; again, long story), and I was wondering if that would definitely have to have the virus in it, or if there's any other way the virus could be encoded, because my avast gives me a warning on the site.

This is the site, but I WARN YOU, it's not exactly family material (I didn't see it because avast blocked it, but that's what others said): nobrainer.dk

Thank you!
-ElectroPlasma
ElectroPlasma
New User
New User
 
Posts: 21
Joined: Mon Nov 01, 2010 2:14 pm
Blog: View Blog (0)


Re: Virus question

Post by Goatboy on Tue Dec 28, 2010 6:41 pm
([msg=51277]see Re: Virus question[/msg])

Well, JavaScript isn't usually used to write a virus in the traditional sense. If there is a flaw in your browser, JS might be used to exploit it and deliver the virus, or cause some damage itself. JS can be used normally to redirect you to another page, perform a Tabjacking attack, or do many other ill-intentioned things.

As for the JS being a virus itself, I doubt that's the case.
Assume that everything I say is or could be a lie.
1UHQ15HqBRZFykqx7mKHpYroxanLjJcUk
User avatar
Goatboy
Expert
Expert
 
Posts: 2753
Joined: Mon Jul 07, 2008 9:35 pm
Blog: View Blog (0)


Re: Virus question

Post by OnlyHuman on Tue Dec 28, 2010 9:04 pm
([msg=51298]see Re: Virus question[/msg])

ElectroPlasma wrote:Are viruses always encoded in the JavaScript of a site?

No, attack sites don't always rely on JavaScript. I've seen a few of them that use Java to issue their payloads, and some of them will just rely on a user's inability to recognize the attack. They might disguise an executable with a different file extension, or maybe exploit the Alternate Data Streams specification with a file download. There are far too many attack vectors to mention.

One avenue, that I think might be overlooked is CGI. Example: If you establish a connection to a server, the server loads the default index file, which could be little more than a CGI script to handle writing the contests of the page to the browser, as well as, a few other bits of data that get sent back with the header. What gets written to the browser is entirely under the control of the site designer, and barring limits due to the HTTP specification, so are those other bits of data.

Another thing you might want to consider, is how those sites get listed as being attack sites in the first place. There are a collection of repositories around the web dedicated to storing lists of domains people have reported as being malicious. A lot of AV testers use these sites to find valid zero-days for testing purposes. But, once somebody gets put onto a list like that, it can be damn near impossible for them to be removed, even if it has been proven by security professionals that the site is clean. Which is another reason your shield would issue a warning.
OnlyHuman
Poster
Poster
 
Posts: 192
Joined: Sat Aug 22, 2009 1:37 am
Blog: View Blog (0)


Re: Virus question

Post by msbachman on Tue Dec 28, 2010 10:27 pm
([msg=51302]see Re: Virus question[/msg])

ElectroPlasma wrote:This is the site, but I WARN YOU, it's not exactly family material (I didn't see it because avast blocked it, but that's what others said): nobrainer.dk


I might be missing something but the site is pretty bare.

Here is the javascript of the site so you don't have to visit it

Code: Select all
<script type="text/javascript">

var _gaq = _gaq || [];
_gaq.push(['_setAccount', 'UA-1107199-1']);
_gaq.push(['_trackPageview']);

(function() {
   var ga = document.createElement('script'); ga.type = 'text/javascript'; ga.async = true;
   ga.src = ('https:' == document.location.protocol ? 'https://ssl' : 'http://www') + '.google-analytics.com/ga.js';
   var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(ga, s);
})();

</script>


I can't see how that could be construed to be malicious. I must be missing something. Or, as OnlyHuman said, it's a false alarm.
"I'm going to get into your sister. I'm going to get my hands on your daughter."
~Gatito
User avatar
msbachman
Contributor
Contributor
 
Posts: 685
Joined: Mon Jan 12, 2009 10:22 pm
Location: In the sky lol
Blog: View Blog (0)


Re: Virus question

Post by ElectroPlasma on Thu Dec 30, 2010 12:12 pm
([msg=51362]see Re: Virus question[/msg])

It could be a false alarm I guess, but didn't we just get done saying that the virus wouldn't necessarily have to be there in the JavaScript? Forgive me, I'm confused now - I'm not good at this, lol. *apologetic face*

-ElectroPlasma
ElectroPlasma
New User
New User
 
Posts: 21
Joined: Mon Nov 01, 2010 2:14 pm
Blog: View Blog (0)


Re: Virus question

Post by Fatal Intuiti0n on Sun Jan 23, 2011 12:01 pm
([msg=52684]see Re: Virus question[/msg])

its called a java driveby and its why you should never surf the net as admin, you can put executables in the java and have people instantly download the payload without needing to execute anything.

but as goatboy said the java itself is not the virus it is used to deliver the payload to your machine though.
Fatal Intuiti0n
New User
New User
 
Posts: 8
Joined: Sat Jan 22, 2011 10:50 pm
Blog: View Blog (0)


Re: Virus question

Post by fabianhjr on Sun Jan 23, 2011 2:11 pm
([msg=52691]see Re: Virus question[/msg])

Java isn't virii. Virii could be written in Java.

There is also a HUGE DIFFERENCE between JavaScript and Java.
Donate bitcoins to me! [1DhRP3hHgmSLQdRTZyT8VPTmzAj7Z2rsGA]
Dunno what bitcoins are? BitcoinMe
fabianhjr
Poster
Poster
 
Posts: 286
Joined: Tue Sep 21, 2010 7:48 pm
Blog: View Blog (0)


Re: Virus question

Post by tremor77 on Tue Jan 25, 2011 12:20 pm
([msg=52852]see Re: Virus question[/msg])

There Are Many Web Based Malware Delivery Methods... most of which can be thwarted using browser based security options. (you know, the low, medium, high settings)

Java Applets
Malicious Javascript
CGI Scripts
PHP / AJAX Methods
Flash / ActionScript

However regarding the initial concept.. Javascript is a powerful language and could be used to write a virus. Some of the recent social networking virus/malware code heavily rely on Javascript.. I found this interesting.

http://davezor.posterous.com/reverse-engineering-the-newest-facebook-invit

Most of the stuff done with Javascript tend to rely on the end-user being dumb as shit... but the potential exists.

Beware as Facebook is quickly becoming a front line of delivery for malicious softwares.. and with the advent of all these social networking tie-ins including mobile devices, facebook's lack of care for your privacy, widgets, and browsers built specifically for social media.... well, now more than ever you need to watch your ass.. Keep your protection settings high, elevate all your privacy settings.. etc. etc. I've posted a dozen times before along with everyone else so go find that thread.
Image
User avatar
tremor77
Moderator
Moderator
 
Posts: 789
Joined: Wed Mar 31, 2010 12:00 pm
Location: New York
Blog: View Blog (0)


Re: Virus question

Post by fabianhjr on Tue Jan 25, 2011 1:10 pm
([msg=52856]see Re: Virus question[/msg])

As a matter of fact I recall about 2 years ago reading about a worm which was pure JavaScript and replicated with XSS exploits. I believe it attacked a social netowork, maybe MySpace.

/me starts searching through his bookmarks.
Donate bitcoins to me! [1DhRP3hHgmSLQdRTZyT8VPTmzAj7Z2rsGA]
Dunno what bitcoins are? BitcoinMe
fabianhjr
Poster
Poster
 
Posts: 286
Joined: Tue Sep 21, 2010 7:48 pm
Blog: View Blog (0)


Re: Virus question

Post by tucak on Wed Jan 26, 2011 10:45 am
([msg=52896]see Re: Virus question[/msg])

fabianhjr wrote:As a matter of fact I recall about 2 years ago reading about a worm which was pure JavaScript and replicated with XSS exploits. I believe it attacked a social netowork, maybe MySpace.

/me starts searching through his bookmarks.

This?
tucak
New User
New User
 
Posts: 47
Joined: Wed Jun 04, 2008 12:20 pm
Blog: View Blog (0)


Next

Return to Malware

Who is online

Users browsing this forum: No registered users and 0 guests