False Positive definition on http://www.kaldata.com/

[slayer76]

2 days ago Avast warning me about trojan JS:Redirector in this website.Even today with new defs everything is the same! Defs are 131228-1.
Here is the screenshot about detection


And report of VT:
https://www.virustotal.com/en/url/5688fd9d5834c713ac10783677caa341a13f1751f118367accaede4b71071433/analysis/1388262204/
https://www.virustotal.com/en/url/133ba46ca7229c7bebc267d3a4cc4dbd8ce6edd52bd8c358a96c8b3ce30645cf/analysis/1388310541/
Site is clean.

Please fix this.

Best regards,
slayer76.

[Eddy]

If virustotal says it is clean, it doesn't mean that there is no harmful thing on that website.
The adds they are providing changes all the time, so there can be a harmful add on the website.

And why would someone use this code on a webpage?
var OX_4f1056cf = '';
document.write(OX_4f1056cf);

[rado99]

And no only on this site. I'm thinking this is on everyone site, that uses JS ADS system

[propheticus]

It's classified as a redirecter trojan. This kind of code sends users from one site (they deliberately visit) to another that the user him-/herself did not ask for. This other site might download malware, show porno, steal user data (spyware) or simply use the false traffic to make fraudulous ad revenues. The site itself might be clean, but the (changing) ads might be harmful depending on which ad is loaded.
http://quttera.com/detailed_report/kaldata.com

[slayer76]

If virustotal says it is clean, it doesn't mean that there is no harmful thing on that website.
The adds they are providing changes all the time, so there can be a harmful add on the website.

And why would someone use this code on a webpage?
var OX_4f1056cf = '';
document.write(OX_4f1056cf);

OK, Let's try again... And again clean.
http://www.urlvoid.com/scan/ads.kaldata.com/

http://app.webinspector.com/public/reports/19126103
This code  is harmless! So where is the malware?

[programings]

It's classified as a redirecter trojan. This kind of code sends users from one site (they deliberately visit) to another that the user him-/herself did not ask for. This other site might download malware, show porno, steal user data (spyware) or simply use the false traffic to make fraudulous ad revenues. The site itself might be clean, but the (changing) ads might be harmful depending on which ad is loaded.
http://quttera.com/detailed_report/kaldata.com

That`s totally ridiculous, guys!

Avast detects JS:Redirector-BJB on every site that use this JS ADS system or have some part for redirection in source code.

So many years without this restriction, and now, why or... what?

Thousands of sites in WWW use ADS systems like this, and Avast tells the user that they'r infected.
That`s thousands of webmasters who needs to change the way their pages working.

100 % false positive. Please review it in details and we will waiting for fix.

[slayer76]

It's classified as a redirecter trojan. This kind of code sends users from one site (they deliberately visit) to another that the user him-/herself did not ask for. This other site might download malware, show porno, steal user data (spyware) or simply use the false traffic to make fraudulous ad revenues. The site itself might be clean, but the (changing) ads might be harmful depending on which ad is loaded.
http://quttera.com/detailed_report/kaldata.com

I know that! But where exactly is this trojan?
This code do not redirect users...

[propheticus]

That site admin have been using this tactic for years does not necessarily mean it therefore is good or should be allowed. If it poses a security risk (now), it's rightfully blocked (now).


Again it does not seem the site itself to be the issue, it's the ads/ad delivery system (3rd party?).

----

So many years without this restriction, and now, why or... what?
...
Thousands of sites in WWW use ADS systems like this, and Avast tells the user that they'r infected.
That`s thousands of webmasters who needs to change the way their pages working.
...

Argumentum ad antiquitatem
+
Argumentum ad populum

[programings]

Again it does not seem the site itself to be the issue, it's the ads/ad delivery system (3rd party?).

This 3rd-party ads system is called OpenX.
Commercial product!

And what about all sites that use it, ha?

P.S:

Argumentum ad antiquitatem
+
Argumentum ad populum

Please, don`t be smartass, can you?

And again: What kind of security risk can be one blank variable, setted by JS?!?
Explain me.

[propheticus]

Might be (or have been) a corrupted/hacked ad server:
http://www.spamfighter.com/News-17616-Compromised-OpenX-Ad-and-Server-Boosting-Malware.htm
http://stopmalvertising.com/tag/openx.html


There's plenty of examples where hacked ad servers have been used to spread malware. If you believe you might've been infected in the past and all problems have been fixed now, you can use the contact form/ticket system to report a false positive: https://support.avast.com/Tickets/Submit. That might help you more than arguing with me on a (mainly) users forum. The avast crew don't respond here that much.


p.s. I am a smartass, maybe, but you make a dangerous fallacy in thinking many users == good/save. Number of users or the fact something is commercial does not mean something MUST be save.

[Eddy]

Besides...
http://168.144.32.45/blacklist/bl/99.225.243.0/#_

Just use:
http://www.avast.com/en-us/contact-form.php
and the people from avast will have a look at it.

[B-boy/StyLe/]

Hello,

This is a false positive for sure. We at kaldata provide many services (including malware removal) and we can guarantee that there is no problem with the site itself.
I am not the admin of the site (but one of the Malware Response Team members trained at BleepingComputer) and we already spoke with the admin. The following ads script (/www/delivery/*) is used in many legit sites like:

bgmaps.com
dtv-bg.com
sportni.bg

and I guess that avast will detect them as well so adding a thousand of exceptions manually in avast settings is not a big deal.


Regards,
Georgi

[kubecj]

You're wrong
hXXp://ads.kaldata.com/www/delivery/ajs.php?zoneid=19

the second line before the end, try{$a=~[];$a={___:++$a,$$$$.....

this is malicious script which is injected in your vulnerable OpenX install.

[B-boy/StyLe/]

Hi,

Thank you for the reply.

SO avast! is the only one which detect it?

http://jsunpack.jeek.org/dec/go?report=ec1b1ff5861c2d03cee71fc950aa6201f402f990

https://www.virustotal.com/en/file/0dd549aee675c1db23831aa501288e17b774ebfbbfb6d48e1b77dab18d51f1be/analysis/1388344005/

Since html decoding is not my specialty I asked a friend of mine (MVP member) to take a look as well.

Thanks!


Regards,
Georgi

[kubecj]

It's possible we're the only to detect it. The script is a redirection usually to hxxp://brins.biz If you don't know why there should be such redirection, you should fix that ASAP.