Warning! The ASCnet site maybe infected with a Virus.

[Ben Thoele]

Sophos AV kicks out the following warning when I visit the ASCnet site.

   Virus/spyware 'Troj/Iframe-JG' has been detected at "www.ascnet.org/AM/HierMenu/HM_ScriptDOM.js"
     

[Ben Thoele]

Sophos Labs confirmed that the ASCnet.org is infected with Troj/Iframe-JG.

Aaron over at ASCnet is working with their web hosting provider to get it resolved.  He said he would email me when it's fixed.   I will follow-up when I hear from him.

[Charlie Charbonneau]

Yikes!   Is that the free stoof you get with membership?!

[DebAmstutz]

Here are a couple of questions from someone not well-versed on the topic of virii.

How does a site like that (or any) become infected?

How would it get passed to me if I visit the site?

I delete email when I do not recognize the sender, and as far as I know, I've not had any virii on my workstation.  Seems like everyone else in the office has had to be "disinfected" but not me.

[Jim Jensen]

Deb, lots of websites have malicious software that have become imbedded in them. A lot of sites run small programs (scripts) in order to make them look nice or have certain functionalities. Some use Java, while others use Flash. These scripts run on your computer. This is why you've seen the warnings about issues with Java and that you need to either disable it, or apply a patch (when they are available). If someone infiltrates and website and leaves behind malicious coding, it can run on yours just by going to the website. Email is only one way to obtain a nasty on your computer.

[Ben Thoele]

Here are a couple of questions from someone not well-versed on the topic of virii.

How does a site like that (or any) become infected?

How would it get passed to me if I visit the site?

I delete email when I do not recognize the sender, and as far as I know, I've not had any virii on my workstation.  Seems like everyone else in the office has had to be "disinfected" but not me.

Here is a great You Tube Video I showed our staff to help understand this.
http://www.youtube.com/watch?v=EK6BBYmiVpo&feature=share&list=PL4E9816850A80ED8E

I wouldn't visit ASCnet, for now, unless you are prepared to reload your computer.  And that's the rule of thumb I use for all internet browsing at work.  Is the site "work related" and or, am I willing to deal with the repercussions.  Since there is no 100% safe web surfing I advise users to browse based on a cost/benefit analysis.   Is the site I'm going to worth the potential risk to my work computer.  If a user is infected from a vacation site, then they are in trouble.  If they get a virus from Travelers.com then they are O.K. because that's a cost of doing business.    Hopefully you're not paying to rebuild computers so your employees can plan their vacations at work.

[Marie (Zionkowski) Gozikowski]

Ben - what a great link... thanks for posting it!  I am going to have my users watch them all :-)

[Lynne Desrochers]

Hey, how do we know that link is safe?  : )

[Ben Thoele]

Hey, how do we know that link is safe?  : )

Good Question.  I look at the domain,  in this case It's www.youtube.com which I trust.  If I receive an Insurance Marketing email and the link points to www.hellspawn.com I don't click on it.  If you can't see the link you can "mouse over" or hover over the link to see where it points.  This way you to inspect the link before you click on it.  An email from Travelers.com should include links to www.Travelers.com/whatever not to  www.russianmalwarehost.com/virus or whatever.

Does that help? 

[Marie (Zionkowski) Gozikowski]

I have Youtube blocked at work, but it looks like you can also view these videos directly from Sophos' site:

http://www.sophos.com/en-us/security-news-trends/anatomy-of-an-attack.aspx

[Ben Thoele]

Looks like the Ascnet site is fixed for now.  At least they made a change and when I go there it's doesn't set off our AV. 

Surf at your own risk!

[Bloody Jack Kidd]

It can happen to many sites, although often enough the malicious content is actually served from a site other than the one you are visiting. In this case it could be a few things, like Sophos getting a bit too paranoid, in which case the javascript in question may not be as dangerous as this makes it appear.

Another possibility is that the site has been compromised and malicious code has been planted there.

I would point a finger a snicker, but this can and does happen to even the most well-run and secure sites. In fact, recently Bit9 a company on the bleeding edge of application white listing got hacked and delivery malware out to their own clients.

[Gene Foraker]

I don't know how the message board get a virus, but don't forget that there is a "files" area where you can download files.   There may have been something there.

[Mark]

Interesting.  So, the .js file was probably compromised?  I looked at that file and realized that I don't read JavaScript files, but it looked like it was trying to determine what type of browser you were using.

[Bloody Jack Kidd]

Interesting.  So, the .js file was probably compromised?  I looked at that file and realized that I don't read JavaScript files, but it looked like it was trying to determine what type of browser you were using.

browser / platform id is a very common javascript trick - nothing malicious about that in and of itself - but malicious sites looking to exploit a system will often first determine what you are running and then deliver the appropriate payload.

[Mark]

Right.  I just wgot it a few minutes ago and looked at it just to see what it was.  I assume it's been cleaned/replaced already.

[Bloody Jack Kidd]

I assume it's been cleaned/replaced already.

ah, yeah, that's true...

[Bob]

I noticed last week same thing.  AV stopped it cold but popped up visiting community.    Ironic I just mentioned this possibility but java not java script and if board could infect members.   

[Bloody Jack Kidd]

I am curious if it really was bad js and if so, how did it get there. It opens up some pretty scary scenarios.

[Mark]

I am curious if it really was bad js and if so, how did it get there. It opens up some pretty scary scenarios.

Right.  Was the server compromised and that script edited to obtain malware from somewhere, or what happened?

I know that ASCnet.org uses ColdFusion and there have been exploits for that in the past.  Not familiar with ColdFusion so idk how to tell if it's up to date or not.  Also, the Community and the website are not hosted at the same location.  Socious hosts out of Kansas City and ascnet.org looks to be in Washington DC.

So, www.ascnet.org running ColdFusion does not directly affect community.ascnet.org running Socious.

[Bloody Jack Kidd]

ah, so it was the coldfusion site?

that would not be surprising then - I had looked at that in the past and thought to myself - "oh boy, it's just a matter of time..."

[Mark]

that would not be surprising then - I had looked at that in the past and thought to myself - "oh boy, it's just a matter of time..."

HAHAHAHA.  Yep.

[DebAmstutz]

So it's safe to go to ascnet.org now? 

Also, I received email yesterday from one of the ascnet employees regarding an upcoming chapter meeting.  I have not opened it, having read the warning here first.  Do you think I should ask for the email to be resent or would email from ascnet.org yesterday before the problem was fixed be ok to open?  I know there are attachments but they would be pdf's as they are handouts.

[Mark]

I wouldn't expect the email to be infected if it were me..

[Bob]

Appears to be ok now.  I'm not getting any alerts like I did last Friday.

[DebAmstutz]

I'm getting a "This website has experienced an unexpected error" message just now when I tried to go there.  Perhaps there is a bigger problem?

[Bloody Jack Kidd]

not looking good...

...and the error is leaking info you don't want to be leaked, like file structure and user accounts.

[Mark]

Awesome.

[Ric]

guess it was a good day to be off Monday and have been playing catch up ever since.  Still have not gotten caught up.  is the ASCnet site clean yet?

[Bloody Jack Kidd]

Can't tell if it's clean, apparently it is broken to some degree.

[Mark]

ASCnet site is down.  Aaron says it's "Managed Web" so he has no access.  I'm guessing that means all he can do is submit a ticket and wait?  I hate not having full control over my stuff.

[Ric]

wow. that lacks. Aaron must be pulling his hair out

[Bloody Jack Kidd]

Maybe now is a good time to offer them a deal on hosting.

[Mark]

Maybe now is a good time to offer them a deal on hosting.

Maybe, but I don't know that I'd want to host a ColdFusion site...

[Bloody Jack Kidd]

Maybe, but I don't know that I'd want to host a ColdFusion site...

I could put it in a jail...

[Mark]

Website is back, but this is what I'm getting:

Code Select Expand

Scan type: Auto-Protect Scan
Event: Risk Found!
Security risk detected: IFrame.Exploit
File: C:\Documents and Settings\...\Local Settings\Application Data\Mozilla\Firefox\Profiles\ivo2rvzr.default\Cache\8\0C\D7AE9d01
Location: C:\Documents and Settings\...\Local Settings\Application Data\Mozilla\Firefox\Profiles\ivo2rvzr.default\Cache\8\0C
Computer: ...
User: ...
Action taken: Pending Side Effects Analysis : Access denied
Date found: Wednesday, February 20, 2013  8:40:46 AM

[Jim Jensen]

See - I told you they'd fall apart without me when I let my membership lapse...

[Mark]

Aaron is aware of the iFrame exploit, as we would all expect him to be, and he is on it.

[Mark]

Well, it loads this morning with no warning.