Kaspersky
Solved

JavaScript from RAE (Royal Spanish Academy) site reported as trojan


Userlevel 1
While looking for word meanings in this official Spanish site (ps://dle.rae.es), Kaspersky reported a trojan in this file:

ps:// dle.rae.es/ js/init. js

Not loading this apparently breaks the whole site styling.

Kaspersky reports this as "HEUR:Trojan.Script.Miner.gen". However, if I download this file and scan it, nothing is found. I then uploaded it to Virus Total and only 2 out of 57 engines detected a virus. Kaspersky did not either.

I just tried increasing the heuristic level to the maximum, and only then Kaspersky detected again this supposed trojan in this downloaded file.

Is this a false positive?
icon

Best answer by harlan4096 25 April 2019, 12:24

Yes! I also got final verdict from KLVirusDesk, anyway I answered asking them if not a false positive:
Hello,

The specified URL was added to our blacklist.
Thank you for your help.

Best regards,
View original

15 replies

Userlevel 5
Badge
Hi AndrewL, I submitted this URL for analysis at https://virusdesk.kaspersky.com/. Let's see what our VirusLab folks come up with.
Userlevel 6
Badge +3
I can confirm the issue here with KTS2020RC, but KLVD flags it as clean...
Userlevel 5
Badge
We got a confirmation this is a true detect. Not a false positive.
Userlevel 6
Badge +3
Yes! I also got final verdict from KLVirusDesk, anyway I answered asking them if not a false positive:
Hello,

The specified URL was added to our blacklist.
Thank you for your help.

Best regards,
Userlevel 1
Wow, thank you! I was going to send an email to that web site, as maybe they have been hacked, or some employee added this mining script, but I noticed that the file has been changed. Now it is no longer detected by Kaspersky. In Virus Total only one engine (Antiy-AVL) detects it.

Could you confirm the new version is safe, and not simply a more obscure script?
Userlevel 6
Badge +3
Yes, now it is not detected, don't know if script has changed... will wait a bit and check if still detected after Kaspersky added signatures...

Update: I've sent the current script site file and KLVirusDesk automatic scan is already detecting it:
Thank you for contacting Kaspersky Lab

The files have been scanned in automatic mode.

Malicious code detected by Kaspersky Lab products (which include the Mail Anti-Virus component) has been found in files:

init.js - HEUR:Trojan.Script.Miner.gen
We will thoroughly analyze the files you sent. If the result of the analysis is different from this automatic scan result, you will be notified via email.

This is an automatically generated message. Please do not reply to it.

Anti-Virus Lab, Kaspersky Lab HQ


Userlevel 6
Badge +3
Update: I got during last night some extra info from Kaspersky VirusDesk analysts:
Hello,

This file is already detected by Mail AV component of our product:HEUR:Trojan.Script.Miner.gen
However additional signature detection was added:Trojan.Script.Miner.d
Its detection will be included in the next update.
Thank you for your help.

Best regards,
Userlevel 6
Badge +3
Well, this is the last message I've just gotten from KLVirusDesk, it seems RAE server is clean now, so the URL will be removed from detections:

Hello,

All malicious content were deleted from dle.rae[.]es. URL was removed from blacklist. It will be fixed in the next update. Thank you for your help.

Best regards,
Userlevel 1
Thanks a lot for all your follow-ups, harlan.

I've checked the web site and indeed the init.js file is now just 5k instead of 669kb (as the second version we have seen); all its obscured JavaScript code is gone.

Is this blacklisting they mention simply url-based? Because I have downloaded the previous malicious .js file and my updated KIS still does not detect it, even with the deep heuristics settings. It's not that it matters much now, but I was just wondering why it doesn't.

Also KSN and Kaspersky Application Advisor say nothing about it. Again, this exact file will probably be never seen again, but the obfuscated code may appear somewhere else in the future.
Userlevel 6
Badge +3
Hum... that's weird, still had a copy of the malicious script I sent, and my KTS2020RC still detecting it, even KSN, but not URL Advisor...


https://whitelisting.kaspersky.com/advisor?lang=en-US#search/0x5EE5531EAC53A7FDD0F2EB62346875D2
Userlevel 1
It seems you are talking about the first version, which was 407.13 KB and was detected with deep heuristics. I'm referring to the second version, the 669 KB one that we discussed since this reply I made, where I wondered if it was a "more obscure script", which it seems it was in the end.
Userlevel 6
Badge +3
Hum I guess I don't have that second version 🤔
Userlevel 1
Oh, I thought the following messages from KLVirusDesk after that message of mine were for the second version.

I've uploaded the file to Dropbox.

https://www.dropbox.com/s/h4rxfil4zcha5i7/initjs-virus.zip?dl=0

If you don't have an account, you have to click on the "no" at the bottom of the popup, and then on Download / Direct download, on the top right corner.
Userlevel 6
Badge +3
Thanks! sent to KLVD!
Userlevel 6
Badge +3
Update: That second version of the script is also now detected 🙂

Reply / Ответить