Web Shield questions

[Peon]

While I was researching Javascript malware, Avast Web Shield blocked several sites:

1) hxxp://video-reward-center.com/?sov=24320&id=a11-cGiveaways1
Threat: HTML:Script-inf

I'm guessing this was some sort of banner ad or something (Adblock Plus would've blocked it in any case). At any rate, this is the most suspicious of the bunch, but VirusTotal shows that the URL is clean.

2) hxxp://www.schillmania.com/content/entries/2009/javascript-malware-obfuscation-analysis/|>{gzip}
Threat: JS:Obfuscated-AR [Trj]

Again, VirusTotal has no problems with the URL.

3) hxxp://stackoverflow.com/questions/3288049/javascript-trojan-dissection|>{gzip}
Threat: js:Illredir-CJ [Trj]

Given how much I rely on Stack Overflow for programming questions, if it was infected, I'd be getting malware every day... Naturally, VirusTotal shows this URL is clean as well.

As a final precaution, I've run full scans of both Avast and MBAM, neither of which found anything.

Am I seeing false positives? Or is there some other malware on my machine that's interfering with my web browsing and causing Avast to react indirectly? Or is it something else altogether?

[Gargamel360]

If you frequent places that any malcode might be posted (even in an inert harmless form) the Avast! Web Shield very well might interpret the text as malicious and give an alert. 

Virus Total url scanner does not accuratly replicate the scanning of Avast!'s Web Shield, it just checks the url against blacklist databases... Securri is more reliable for that.>>http://sitecheck.sucuri.net/scanner/

[Peon]

Just ran the URLs through Sucuri:

The first URL in its full form gave me an invalid website error. However, the root domain (hxxp://video-reward-center.com) turned up as a clean site.

The second URL turned up as a clean site as well.

The third URL turned up a malware warning (http://sucuri.net/malware/entry/MW:JS:150).

Any guidance would be greatly appreciated

[Gargamel360]

Any guidance would be greatly appreciated

Oh, I'm more like the resident "guy on the street corner, giving directions".  I can cover the basics, and know enough to point you in the right direction, but de-obfuscating malicious code in a site is well beyond my range.

There are others around here who dabble in such things, though.  Check back, and one of them might be able to shed more light on this.

As I said before, though, the Avast! Web Shield gets pretty hyperactive around posted code, especially Javascript/Iframe detection....so there is a chance one of these is false or more, due to the nature of what you were looking up....but for now, trust the Web Shield till you get some feedback from someone who can "read between the lines", so to speak.

[Pondus]

Virus Total url scanner does not accuratly replicate the scanning of Avast!'s Web Shield, it just checks the url against blacklist databases...

unless you download and scan the HTML...the old one did that automatically

nothing on the first URL
Second only detected by avast
https://www.virustotal.com/file/77aaeb124df45a2f70d4929bcc07672d1fa3d965b06390e5b29af9e5cb60fe77/analysis/1326965171/

third avast and AVG
https://www.virustotal.com/file/cbf6415ef3b671e51e931ad37ae6387ad2ec443a6a32e20230721c888471f835/analysis/1326965309/

no supprice since code is posted open at stackoverflow

[polonus]

Viewed via -http://www.tooto.com/url/
The following would at once explain some issues,
checking the links I stumbled at attack code -> www dot schillmania etc gives 253A%252F encoded URL to alert my malware script detector..malware control analysis makes me think of Hupingon related malware, at least some backdoor.
The third link given is also detected as being XSS attack code by the same malware script detector extension,

polonus

[Peon]

Good to know - I'll be avoiding those sites for sure, then.

Ever since I picked up some sort of drive-by download last year that took several weeks to clean (Google Chrome's not as secure as everybody seems to believe) I've been a bit paranoid. So forgive me for asking, but am I still safe and virus-free?

[Gargamel360]

Every time the Web Shield has blocked anything here, subsequent scans have not turned up anything. 

Plus, as Pondus mentioned, the detection at Stackoverflow could be the result of code posted openly, and the Web Shield being unable to determine the difference between a "loaded gun and an empty one", so to speak.

But if you have doubts, run a scan w/Avast!, and>>http://www.malwarebytes.org/products/malwarebytes_free 

[polonus]

Hi Gargamel360,

Users should be careful doing these malcode experiments. You could be handling live code and if your anti malcode software does not flag it, it can infect and stays under the radar. If I handle javascript code I like to view at it as it is being blocked to run, in a sandbox where it cannot escape hopefully.
This is for website malcode that you view via a proxy. Never glare at live source code even running via a proxy. The only safe way is with ample protection or presented in the form of an image. Sometimes I am being alerted by the  malware script detector extension from developer Aung Khant (similar kind of extension in Fx is firekeeper's - Alexander Sotirov experimental list installed) and it detects javascript malwares that uses the malicious power of javascript, it is intended for web client security, it detects frameworks, XSS proxy, XSS shell, Attack-API and BeEF, exploitation, has detection for image.gif, txt/javascript, data txt/html, local file protocol exploitation, wide protocol based and was thoroughly tested, for web developpers and with a browser independant greasemonkey install, detects things that never get detected at webserver-level FW, detects web client run  web trojan and backdoor abuse. In short nice I have this extension in the Google Chrome browser and it was installed with just one click.
Only thing is you must have the expertise to evaluate the findings yourself. So it is not just for everyone.

polonus

[Gargamel360]

Oh, I'm not one to play with fire, you wont catch me pulling an Icarus

[!Donovan]

These are correct detections.

As the site hosts the coding for malicious malware, the antivirus should alert, as the malcoding is provided on that site.

I wouldn't play with javascript malware unless on a VM, as the javascript could 'check' for a sandbox client and 'do' different things if true. I don't know if there is coding to 'escape' sandboxes yet, but it is possible, Polonus.

[polonus]

Hi Donovansrb10,

One such a flaw for instance where code escaped from the sandbox (now patched in the Google Chrome browser) was the the audio handling race condition bug. In race conditions you are not sure of what the outcome may be and where the code will go. So abuse is all about attempts to trigger such a race condition.
You do not have to create them by fuziing or whatever, these internal code bugs could be found up, or are documented, and can then be exploited. So there are known javascript interpreter bugs that allows these sandbox escapes. For those that want to read extensively about how javascript sandbox works amd flaws in the standard libraries, go here: - http://www.cs.washington.edu/homes/arvind/papers/ccs10.pdf
link source data: Justin Cappos, Armon Dadgar, Jeff Rasley, Justin Samuel, Ivan Beschastnikh,
Cosmin Barsan, Arvind Krishnamurthy, Thomas Anderson
Department of Computer Science and Engineering
University of Washington
Seattle, WA 98195

polonus