Infected web page detected : GT:JS.Backdoor.2.D0DE3B58

DIVERSE · 2023-05-09T13:03:42+00:00

There was an error rendering this rich post.

DIVERSE

Hi. I'm consistently getting a notification from BIS about the samples at

[*url removed by @Flexx*]

under the heading "Learning centre" (click "Explore!").

Infected web page detected

3 minutes ago

Feature:

Online Threat Prevention

We blocked this dangerous page for your protection:

[*url removed by @Flexx*]

Threat name: GT:JS.Backdoor.2.D0DE3B58

Dangerous pages attempt to install software that can harm the device, gather personal information or operate without your consent.

Is this a real threat? I can understand the idea that maybe it's trying to do something to the browser that I might not prefer, but the "backdoor" naming of the threat makes it look more like a deliberate exploitation attempt to me. But if this is a legitimate site, then it can only be either a false positive or else they got hacked?

—DIVERSE

Find more posts tagged with

blocked website

threat

backdoor

Comments

Gjoksi

Hello.

Only the malware researchers at Bitdefender Labs can help you with the issue.

You should report the file(s) and/or the URL(s) as false positive to Bitdefender Labs here:

https://www.bitdefender.com/consumer/support/answer/29358/

Regards.

DIVERSE

Hi, Gjoksi.

Thanks for the tip.

Sorry if this is a naïve question, but how would I know if it's actually a false positive before I report it as a false positive?

Or do you think that my logic is good enough that because the website looks legitimate, then prima facie it may be a FP, so that's a reasonable basis to report it?

—DIVERSE

Gjoksi

Hello again.

When visiting the site, this i what i get:

I'm not an IT expert, but i'm damn sure the site was hacked and is malicious.

If i were you, i would not visit it until the site is cleaned.

And that is the reason why i wrote: Only the malware researchers at Bitdefender Labs can help you in my comment above.

Regards.

Flexx

https://community.bitdefender.com/en/discussion/95912/infected-web-page-detected-gt-js-backdoor-2-d0de3b58

The detection is correct. It is trojan downloader based on javascript.

https://www.virustotal.com/gui/file/7f0ad92f446015f10e1a0ce3c483b6c9e4599a7acef7aa4f9350507f2db8826e?nocache=1

Regards

Alexandru_BD

Flexx

https://community.bitdefender.com/en/discussion/comment/324442#Comment_324442

@Gjoksi, In these scenario, you just copy all the text as it is and paste it in a notepad and then scan the notepad file on virustotal to check for anything malicious as I did above to get the virustotal link.

Regards

DIVERSE

Hi, all.

@Gjoksi, I may be less of an IT security expert than you, but I didn't notice suspicious elements of the Javascipt code you posted. Maybe I just overlooked it, or maybe it was further down (past what the screenshot showed).

@Flexx, that's a neat trick.

Indeed, when you posted that file, nine out of 59 vendors' tools reported a threat; eight (including Bitdefender) specifically reported GT:JS.Backdoor.2.D0DE3B58 at that time — eleven months ago.

On the other hand, that means that fifty of the 59 vendors tools didn't report a threat at that time (although several were unable to perform any analysis).

An added benefit of your technique is that even if the website changes, the skript file is 'archived' at VirusTotal. When the analysis at VirusTotal is rerun with the same Javascript skript that was uploaded by you 11 months ago, now zero out of 62 vendors' tools report a threat (although fourteen were unable to perform any analysis). Note specifically that Bitdefender no longer rates that same skript file as a threat.

Based on that updated information (i.e., with the benefit of hindsight), I'm inclined to think that actually the site hadn't been hacked, and those nine detections (including by Bitdefender) were false positives.

Perhaps the authors of the Javascript skript had indeed included some elements where something would be downloaded and/or run on the user's local computer, which (I speculate) although legitimate might possibly have been implemented in a (clumsy?) way that made it seem like it could have ben a trojan.

Flexx

https://community.bitdefender.com/en/discussion/comment/338421#Comment_338421

The vendor with the same detection as Bitdefender utilizes Bitdefender's signature-based engine as their third-party engine, and I guess the file may have been a possible false positive, which is why the detection was removed.

Regards