• Beranda
  • ...
  • The Lounge
  • Website korlantas.polri.go.id kena hijack penyebar virus trojan,bisa mencuri data !

sinden0nDream
TS
sinden0nDream
Website korlantas.polri.go.id kena hijack penyebar virus trojan,bisa mencuri data !
Hati hati bila mau browsing websitenya Korlantas Polri. Hari ini saat penulis browsing ada warning dari anti virus yang dipakai penulis:



Di deteksi oleh Kaspersky 6 sebagai virus:

The requested object is INFECTED with the following viruses: HEUR:Trojan.Script.Generic

 
Untuk memastikan, penulis coba cek juga dengan pengecek keamanan online. Ternyata hasilnya juga sama, terdeteksi trojan. Detil kode virusnya juga ditunjukkan, bisa dilihat di link berikut:
sucuri Free Website Malware and Security Scanner




Dideteksi kena virus: MW:JS:GEN2?malware.injection.rfcc2, penjelasan”
Malware entry: MW:JS:GEN2

Description: Encoded javascript (known the send malware to a site visitor) was detected. They can be in any form, but generally use base64 or some form of encoding to hide its content. Sometimes the content is not encoded, but a simple remote javascript is included to ther pages. It is in this remote javascript that the malware is. Affecting: Any web site Malware dump (sample of malware):

 

Sementara website utama https://polri.go.id/ tidak menunjukkan hal itu. Jadi sepertinya cuma subdomain saja yang kena virus. Di website berikut menunjukkan subdomain lain yang kena:
Norton Rating




Dikatakan kena virus:

W32.Ramnit!html

Penjelasan dari symantec:

Discovered: January 19, 2010
Type: Virus
Infection Length: 10,240 bytes
Systems Affected: Windows

W32.Ramnit is a worm that spreads through removable drives. The worm also functions as a back door allowing a remote attacker to access the compromised computer.

Infection
The threat is distributed through removable drives, infected files on public FTP servers, exploit kits served through malicious advertisements on legitimate websites or social media, and is also bundled with potentially unwanted applications.

Functionality
The primary function of this threat is to steal information from the compromised computer. It does this by downloading various modules that can perform the following tasks:
Steal cookies to hijack online sessions for banking and social media websites. The threat steals cookies from the compromised computer’s browsers, stores them in archive files, and sends them to the C&C server.
Steal login credentials for a large number of FTP clients.
Monitor a victim’s frequently visited websites, including online banking websites. When the threat recognizes that a victim is on a specific site, it will act as a man-in-the-browser (MITB) and inject code into the web page. It will then request that the user submit sensitive information that is not normally submitted to a bank during login. The attacker can then use this information to access the victim’s credit cards and bank accounts.
Give the attacker remote access to the compromised computer.
Steal files from the compromised computer. The threat scans for specific folders or files that may contain login credentials and then archives them, and sends them to the C&C server.
Allow the attacker to remotely connect to the compromised computer and browse the file system through an anonymous FTP server. The FTP server lets the attacker upload, download, and delete files, and execute commands.
The threat will also write a copy of the installer to the computer’s file system and store a copy of itself in memory. This allows the threat to be dropped back onto the file system and executed again if the compromised computer’s antivirus software detects and deletes the threat, or quarantines it.

Geographical distribution
Symantec has observed the following geographic distribution of this threat




Dijelaskan bahwa virus juga bisa menular dari website. Kerja utamanya adalah untuk mencuri informasi seperti password, pin untuk bank, kegiatan komputer user, bisa membuat komputer dikendalikan penyerang, mencegah anti virus bekerja, dst.

Dari hasil scanner pcrisk menunjukkan beberapa file yang kena masalah




Quttera juga menunjukkan hasil yang mirip.

Beberapa scanner anti virus website lain tidak menemukan masalah. Namun menurut penulis, keberadaan kode dengan angka angka aneh pada source code halaman utama sudah cukup untuk menjadi warning agar jangan membuka website tersebut sampai virus dibersihkan.

Sumber : kupasmotor.wordpress.com
Diubah oleh sinden0nDream 22-04-2017 11:22
0
3.8K
24
Guest
Tulis komentar menarik atau mention replykgpt untuk ngobrol seru
Mari bergabung, dapatkan informasi dan teman baru!
The Lounge
The Lounge
icon
922.4KThread81.3KAnggota
Terlama
Guest
Tulis komentar menarik atau mention replykgpt untuk ngobrol seru
Ikuti KASKUS di
© 2023 KASKUS, PT Darta Media Indonesia. All rights reserved.