Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Avast! Question WRT Firefox and NoScript


  • Please log in to reply
4 replies to this topic

#1 Capn Easy

Capn Easy

  • Members
  • 597 posts
  • OFFLINE
  •  
  • Location:New Jersey
  • Local time:09:47 PM

Posted 13 April 2009 - 02:58 AM

Hi. I had a very bad experience with a virus attack last December -- thanks to all who helped! -- so I've tried to "armor up" my computer and browser. I just had my first brush with malware since then. I'm pretty sure I'm okay, but I'm intrigued by what was found and how it was found.


I'm running Windows XP Home SP3 on an IBM ThinkCentre 8195-26U. While cruising the internet earlier in search of pictures of zebras (pretty innocent, I thought) I clicked on an image in a Google image search and Avast! 4.8 Home Edition popped up a warning that a virus had been found, offered me the opportunity to abort the connection, and looks like it quarantined something. The file it apparently found was identified as "JS:ScriptIP-inf[TRJ]."

I'm not very well versed at this, but it looks like a Javascript file (?).

I disconnected from the internet and did a full scan with MBAM just to double check, and all appears normal.

Here's my question -- I'm using Firefox 3.0.8 with NoScript and Cookie Whitelist addons, among others. If this was, in fact, a Javascript trojan, should NoScript have caught it before it even got to Avast? Are there any other addons for Firefox that might be helpful in protecting my computer?

Can anyone provide any additional info on what Avast! caught? I'm trying to learn more so I can take a more effective part in keeping myself safe.

Thanks.

Edited by Capn Easy, 13 April 2009 - 03:00 AM.


BC AdBot (Login to Remove)

 


#2 Eric RBA

Eric RBA

  • Members
  • 252 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:State College, PA
  • Local time:08:47 PM

Posted 13 April 2009 - 01:53 PM

Hey Capn,

I think I've come across this before. Was it possible that the picture that you came across was actually a .pdf file? I know there was a recent security vulnerability with javascript within Adobe reader, which was found and patched (through updates to Adobe Reader) so I wonder if you may have had an issue related to that? Just a thought.

I also use NoScript because it serves as a means to identify where malicious scripts would potentially come from if you were to unblock or allow them to run. Did you opt to allow any scripts to run when searching around for pictures? If so, from what site?

Edited by Eric RBA, 13 April 2009 - 02:01 PM.

I would never ask a person to do something that I wouldn't do myself.

#3 Capn Easy

Capn Easy
  • Topic Starter

  • Members
  • 597 posts
  • OFFLINE
  •  
  • Location:New Jersey
  • Local time:09:47 PM

Posted 13 April 2009 - 03:54 PM

Hi, Eric -- thanks for the reply.

Did you opt to allow any scripts to run when searching around for pictures? If so, from what site?


Not a chance! I don't even allow Bleepingcomputer to run scripts until after I'm here and I log in -- then I manually allow them. In the words of the immortal Doctor Johnny Fever, "When everyone is out to get you, paranoia is just good thinking!"

I realize that I should have kept my head and taken notes on the site, the nature of the alert, etc., but as I said this was my first brush with malware since a very bad experience and I was concentrating on reading the alert and following the instructions to get out safely.

Over on the Avast! forum someone suggested that the WebShield may have blocked something, but in that case I shouldn't have anything on my computer. But ... I definitely do have something in quarantine. The time stamp matches the alert (and it's the only one since last December). It shows as a "JS:ScriptIP-inf[trj]" with the name "D7DA14BCd01" and the size is 16892.

I've updated MBAM and run a couple full scans, and also run a couple scans with Avast! -- they're coming up clean, so whatever it was seems to have been caught.

Mostly, I'm trying to learn.

#4 DaChew

DaChew

    Visiting Alien


  • BC Advisor
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:09:47 PM

Posted 13 April 2009 - 04:20 PM

I use FF w/noscript for surfing to unknown websites, about a year ago I had one bad file show up in a MBAM scan in my cache.

When I asked about it over at the MBAM forum they said it was probably embedded in a web page and my temp cache held a copy, that did not mean I was infected as it may have required some vulnerability to execute.
Chewy

No. Try not. Do... or do not. There is no try.

#5 Romeo29

Romeo29

    Learning To Bleep


  • BC Advisor
  • 3,194 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:127.0.0.1
  • Local time:08:47 PM

Posted 13 April 2009 - 09:23 PM

Some websites use <img> tag but link a malicious javascript (.js) file. Most probably XSS attack.

Edited by Romeo29, 13 April 2009 - 09:35 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users