Content

JS/Downloader-AUF

Type
Trojan
SubType
JavaScript
Discovery Date
05/06/2008
Length
Minimum DAT
5312 (06/06/2008)
Updated DAT
5312 (06/06/2008)
Minimum Engine
5.1.00
Description Added
06/06/2008
Description Modified
06/11/2008 7:01 AM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

JS/Downlaoder-AUF is a detection for malicious code written in Javascript.  The Javascript embedded on the compromised websites creates a hidden frame on the infected page. The malicious javascript tests the browser for geolocation, sets a "cookie" on the infected machine to prevent repeat infections, and attempts to redirect the user to further compromised domains as well as loading the Iframe. 

The domains that the malicious script redirects users to are changed often by the malware authors and is therefore not possible to guarantee which website and/or port is being communicated with depending on the variant of the JS\Downloader-AUF detected. 

As the websites contacted are normally controlled by the malware author, any files/exploits being downloaded/run can be remotely modified and the behaviour of these new binaries or scripts can be altered, possibly with every user infection.

Symptoms

Upon execution, the trojan attempts to load an Iframe and also tries to contact a remote website.

Various exploits have been confirmed to be hosted on the pages resulting from the iframes and the domains embedded on the compromised site.  The specific payload may vary as it is updated frequently by the authors.

Method of Infection

This threat could be delivered via an infectious web page or an email message.  Websites are generally infected as part of a SQL injection hack. 

Removal

Use the latest Engine/Dats

Variants

Variants

    N/A

All Information

Overview -

JS/Downloader-AUF  is a detection for malicious Iframes embedded on legitimate websites as well as purposely designed malicious websites.

 

Characteristics

Characteristics -

JS/Downlaoder-AUF is a detection for malicious code written in Javascript.  The Javascript embedded on the compromised websites creates a hidden frame on the infected page. The malicious javascript tests the browser for geolocation, sets a "cookie" on the infected machine to prevent repeat infections, and attempts to redirect the user to further compromised domains as well as loading the Iframe. 

The domains that the malicious script redirects users to are changed often by the malware authors and is therefore not possible to guarantee which website and/or port is being communicated with depending on the variant of the JS\Downloader-AUF detected. 

As the websites contacted are normally controlled by the malware author, any files/exploits being downloaded/run can be remotely modified and the behaviour of these new binaries or scripts can be altered, possibly with every user infection.

Symptoms

Symptoms -

Upon execution, the trojan attempts to load an Iframe and also tries to contact a remote website.

Various exploits have been confirmed to be hosted on the pages resulting from the iframes and the domains embedded on the compromised site.  The specific payload may vary as it is updated frequently by the authors.

Method of Infection

Method of Infection -

This threat could be delivered via an infectious web page or an email message.  Websites are generally infected as part of a SQL injection hack. 

Removal -

Removal -

Use the latest Engine/Dats

Variants

Variants -

    N/A