Infected web page detected : GT:JS.Backdoor.2.D0DE3B58

Hi. I'm consistently getting a notification from BIS about the samples at

[*url removed by @Flexx*]

under the heading "Learning centre" (click "Explore!").


Infected web page detected

3 minutes ago

Feature:

Online Threat Prevention

We blocked this dangerous page for your protection:

[*url removed by @Flexx*]

Threat name: GT:JS.Backdoor.2.D0DE3B58

Dangerous pages attempt to install software that can harm the device, gather personal information or operate without your consent.


Is this a real threat? I can understand the idea that maybe it's trying to do something to the browser that I might not prefer, but the "backdoor" naming of the threat makes it look more like a deliberate exploitation attempt to me. But if this is a legitimate site, then it can only be either a false positive or else they got hacked?


—DIVERSE

Comments

  • Gjoksi
    Gjoksi Defender of the month mod

    Hello.

    Only the malware researchers at Bitdefender Labs can help you with the issue.

    You should report the file(s) and/or the URL(s) as false positive to Bitdefender Labs here:

    Regards.

  • DIVERSE
    DIVERSE ✭✭✭
    edited May 2023

    Hi, Gjoksi.

    Thanks for the tip.

    Sorry if this is a naïve question, but how would I know if it's actually a false positive before I report it as a false positive?

    Or do you think that my logic is good enough that because the website looks legitimate, then prima facie it may be a FP, so that's a reasonable basis to report it?

    —DIVERSE

  • Gjoksi
    Gjoksi Defender of the month mod

    Hello again.

    When visiting the site, this i what i get:

    I'm not an IT expert, but i'm damn sure the site was hacked and is malicious.

    If i were you, i would not visit it until the site is cleaned.

    And that is the reason why i wrote: Only the malware researchers at Bitdefender Labs can help you in my comment above.

    Regards.

  • Life happens, Coffee helps!

    Show your Attitude, when you reach that Altitude!

    Bitdefender Ultimate Security Plus (user)

  • Premium Security & Bitdefender Endpoint Security Tools user

  • Flexx
    Flexx mod
    edited May 2023

    @Gjoksi, In these scenario, you just copy all the text as it is and paste it in a notepad and then scan the notepad file on virustotal to check for anything malicious as I did above to get the virustotal link.

    Regards

    Life happens, Coffee helps!

    Show your Attitude, when you reach that Altitude!

    Bitdefender Ultimate Security Plus (user)

  • DIVERSE
    DIVERSE ✭✭✭
    edited April 30

    Hi, all.

    @Gjoksi, I may be less of an IT security expert than you, but I didn't notice suspicious elements of the Javascipt code you posted. Maybe I just overlooked it, or maybe it was further down (past what the screenshot showed).

    @Flexx, that's a neat trick.

    Indeed, when you posted that file, nine out of 59 vendors' tools reported a threat; eight (including Bitdefender) specifically reported GT:JS.Backdoor.2.D0DE3B58 at that time — eleven months ago.

    On the other hand, that means that fifty of the 59 vendors tools didn't report a threat at that time (although several were unable to perform any analysis).

    An added benefit of your technique is that even if the website changes, the skript file is 'archived' at VirusTotal. When the analysis at VirusTotal is rerun with the same Javascript skript that was uploaded by you 11 months ago, now zero out of 62 vendors' tools report a threat (although fourteen were unable to perform any analysis). Note specifically that Bitdefender no longer rates that same skript file as a threat.

    Based on that updated information (i.e., with the benefit of hindsight), I'm inclined to think that actually the site hadn't been hacked, and those nine detections (including by Bitdefender) were false positives.

    Perhaps the authors of the Javascript skript had indeed included some elements where something would be downloaded and/or run on the user's local computer, which (I speculate) although legitimate might possibly have been implemented in a (clumsy?) way that made it seem like it could have ben a trojan.

  • The vendor with the same detection as Bitdefender utilizes Bitdefender's signature-based engine as their third-party engine, and I guess the file may have been a possible false positive, which is why the detection was removed.

    Regards

    Life happens, Coffee helps!

    Show your Attitude, when you reach that Altitude!

    Bitdefender Ultimate Security Plus (user)