Avast WEBforum

Other => Viruses and worms => Topic started by: The Sniggler on June 06, 2018, 03:33:31 PM

Title: Ebay Login - False Positive???
Post by: The Sniggler on June 06, 2018, 03:33:31 PM
When bringing up Ebay.com's login screen, I get a notice from Avast that the connection with Ebay is aborted due to a redirecter - "JD" or something like that. However, I am still able to get into Ebay.

Follow up scans with MalwareBytes and Avast full scan show nothing. Is this a false positive?

I am using Firefox, Win7 64bit and this has never happened before. From searching the net, it seems this was a problem for some folks at one time, though.
Title: Re: Ebay Login - False Positive???
Post by: Pondus on June 06, 2018, 03:36:52 PM
Quote
Ebay Login - False Positive???     
Use Viruses and Worms forum section for False positive posts


as the info for this section say
>>Avast Free/Pro/IS/Premier topics and issues, not viruses or false alarms here!<<

Screenshots of Avast messages is a big help, then we avoid the ... or something like that 




Title: Re: Ebay Login - False Positive???
Post by: The Sniggler on June 06, 2018, 03:58:25 PM
Not really comfortable to log in again, but the Avast abort connection warning  is "JS Redirector -BKG"
Title: Re: Ebay Login - False Positive???
Post by: Pondus on June 06, 2018, 04:03:59 PM
Quote
  JS Redirector -BKG   
Meaning it contain a java script (JS) that redirect you to another site

avast message should also say exactly where it See this .... screenshot say more then thousand words    ;)


Title: Re: Ebay Login - False Positive???
Post by: The Sniggler on June 06, 2018, 04:25:55 PM
I tried Internet Explorer, a browser that I never use, and no problem.
I will post a screen shot.

Thank you for your kind help.
Title: Re: Ebay Login - False Positive???
Post by: The Sniggler on June 06, 2018, 04:45:46 PM
Here is the SS...  also, please see below thread for discussion...thanks.

https://community.ebay.com/t5/Technical-Issues/JS-Redirector-BKD/td-p/27724701
Title: Re: Ebay Login - False Positive???
Post by: polonus on June 06, 2018, 06:45:17 PM
Susceptible to man-in-the-middle attacks:

SSL expires soon
HTTP Strict Transport Security (HSTS) not enforced
HSTS header does not contain max-age
HSTS header does not contain includeSubDomains
HSTS header not prepared for preload list inclusion
Secure cookies not used

Vulnerable to cross-site attacks:

HttpOnly cookies not used
HttpOnly cookies not used
When HttpOnly cookies are not used, the cookies can be accessed on the client, which enables certain type of client-side attacks. The website configuration should be changed to enforce HttpOnly cookies.
EXPECTED:
[all set-cookie headers include 'httponly']
FOUND:
set-cookie (s): s HttpOnly;, set-cookie (dp1): dp1, set-cookie (ebay): ebay, set-cookie (nonsession): nonsession

Emails can be fraudulently sent: Lenient SPF filtering
Sender Policy   Framework (SPF) record is too lenient as to which domains are allowed to send email on the domain's behalf. This record should definitely not contain (+all) or (?all) mechanisms, as these allow any domain to send email posing as this domain. This record should preferably not use the (~all) mechanism, as this will still allow emails flagged as being from an invalid domain, but will still allow the message to be delivered. Best practice is to use (-all).
EXPECTED:
contains -all
FOUND:
contains ~all

DNS is susceptible to man-in-the-middle attacks:

DNSSEC records prevent third parties from forging the records that guarantee a domain's identity. DNSSEC should be configured for this domain.
EXPECTED:
true
FOUND:
false

Not all is resolving: https://urlquery.net/report/cb19788e-6e82-4cee-b17a-c348840f0aaf

Only CLEANMX comes up with a detection for PHISHING.

Detection for
Quote
All Malicious or Suspicious Elements of Submission
suspicious: maxruntime exceeded 10 seconds (incomplete) 0 bytes
suspicious: Warning detected /warning CVE-NO-MATCH Shellcode Engine Binary Threshold
-signin.ebay.com/ws/$$d$$ benign
-(embed) -signin.ebay.com/ws/$$d$$
     status: (referer=-signin.ebay.com/ws/eBayISAPI.dll?SignIn&amp;_trksid=m570.l1524)saved 16879 bytes 4bfa3749594a83d5f65fbe4a1d1d67db92ded0b6
     info: [script] -secureir.ebaystatic.com/v4js/z/yy/aaa5p3nkya2onh2wvw0vhpasj.js
     info: [script] -secureinclude.ebaystatic.com/js/e1057/us/v4_e10572us.js
     info: [script] -secureinclude.ebaystatic.com/js/e1057/us/e10572us.js
     info: [img] -ir.ebaystatic.com/rs/v/apstidvcvu5pxlbxkphrrdo5iqv.png
     info: [img]- ir.ebaystatic.com/rs/v/fxxj3ttftm5ltcqnto1o4baovyl.png
     info: [img] -ir.ebaystatic.com/cr/v/c1/66165_060618_BAU_VA_FLASH_COUPON_D150x30_R1.png
     info: [script] -ir.ebaystatic.com/rs/v/qd3dhgal0203tnw1xo4kmgsjcmq.js
     info: [img] -rover.ebay.com/roverimp/0/0/9?imp=1018649
     file: 4bfa3749594a83d5f65fbe4a1d1d67db92ded0b6: 16879 bytes
/////////////////////
: [script] wXw.ebay.com/rdr/js/s/rrbundle-v1.0.2.js
     info: [script] -secureinclude.ebaystatic.com/js/v/in/roverlv.js
     info: [img] -ir.ebaystatic.com/rs/v/apstidvcvu5pxlbxkphrrdo5iqv.png
     info: [img] -ir.ebaystatic.com/rs/v/fxxj3ttftm5ltcqnto1o4baovyl.png
     info: [img] -rover.ebay.com/roversync/?site=0&amp;stg=1&amp;mpt=1528302877907
     info: [img] -c.paypal.com/v1/r/d/b/ns?s=EBAY_SIGNIN&amp;js=0&amp;r=1&amp;f=d5f33c851630ab112eb6b596ff94caa8
     info: [iframe] wXw.ebay.com/n.html?id=usllpic0&amp;id=d5f33cd31630ab112eb03b20fffbb256&amp;suppressFlash=true
     info: [script] -secureir.ebaystatic.com/v4js/z/yy/aaa5p3nkya2onh2wvw0vhpasj.js#SYS-ZAM_e1063_1_EUS
     info: [script]- ir.ebaystatic.com/rs/v/dw5a31rmxmzjfazlcvx4wnwylmt.js
     info: [embed] -signin.ebay.com/ws/$$d$$
     info: [decodingLevel=0] found JavaScript
     error: line:162: SyntaxError: missing ; before statement:
          error: line:162: t.msg=msg;t.ajxUrl=msg.svcConfig.url;if(t.tkSp)t.tkSp.innerHTML="<input type="hidden" name=""+t.tkP4S+"" value=""+t.tkvalue+"">";},udtImgSrc:function(urlObj){var t=this,url=t.imUrl,p4S=t.tkP4S,value=t.tkvalue;if(urlObj){if(urlObj.url)t.imUrl=url=urlObj.ur
          error: line:162: ................................................................^
     error: line:3: SyntaxError: missing = in XML attribute:
          error: line:3: <!DOCTYPE html PUBLIC "-/W3C/DTD HTML 4.01 Transitional/EN" "-http:/www.w3.org/TR/html4/loose.dtd"><html lang="en"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><script src="-https:/www.ebay.com/rdr/js/s/rrbundle-v1.0.2.js" t
          error: line:3: ...............^
     file: 56b5297e88f451e05e14a9687962420025555493: 176541 bytes
-www.ebay.com/rdr/js/s/rrbundle-v1.0.2.js suspicious
[suspicious:5] (ipaddr:23.209.177.108) (script) -www.ebay.com/rdr/js/s/rrbundle-v1.0.2.js
     status: (referer=-signin.ebay.com/ws/eBayISAPI.dll?SignIn&amp;_trksid=m570.l1524)saved 205496 bytes 5ad5129f9cef2979443f55661271399ed7db90cb
     info: ActiveXDataObjectsMDAC detected Microsoft.XMLHTTP
     info: [img] -www.ebay.com/rdr/js/s/
     info: [decodingLevel=0] found JavaScript
     error: undefined function document.querySelectorAll
     error: undefined variable s9F
     info: DecodedGenericCLSID detected CAFEEFAC-DEC7-0000-0001-ABCDEFFEDCBA
     suspicious: Warning detected /warning CVE-NO-MATCH Shellcode Engine Binary Threshold
     info: DecodedMsg detected /info.ActiveXObject ShockwaveFlash.ShockwaveFlash
     info: [decodingLevel=1] found JavaScript
     info: file: saved -www.ebay.com/rdr/js/s/rrbundle-v1.0.2.js to (5ad5129f9cef2979443f55661271399ed7db90cb)
     file: 5ad5129f9cef2979443f55661271399ed7db90cb: 205496 bytes
     file: d897ae35cddc448eda57f3bc8898014a9c10fe74: 248 bytes
See sources in sinks in that code: http://www.domxssscanner.com/scan?url=https%3A%2F%2Fwww.ebay.com%2Frdr%2Fjs%2Fs%2Frrbundle-v1.0.2.js

polonus (volunteer website security analyst and website error-hunter)
Title: Re: Ebay Login - False Positive???
Post by: The Sniggler on June 06, 2018, 07:30:34 PM
Thank you once again... however, I am not an expert.

Please explain what this all of this  means and what should I do?

4 Avast and MBytes scans come up zero, ADW Cleaner = same.
Title: Re: Ebay Login - False Positive???
Post by: The Sniggler on June 06, 2018, 10:54:54 PM
I just tried the Ebay login with Internet Explorer, and Avast put an item in the Virus Chest... I deleted immediately. i am running a boot scan for safety sake.

Also tried it on a second machine - Avast ids the threat as before.

Wonder what is going on? Hard to believe the Ebay login is infected and there is no word about it.....
Title: Re: Ebay Login - False Positive???
Post by: polonus on June 06, 2018, 11:17:48 PM
Howdy to you, The Sniggler,

Hopefully an avast team member will come to this thread and give the detection or FP the final verdict.

The detection for "Warning detected /warning CVE-NO-MATCH Shellcode Engine Binary Threshold"
is a generic IDS detection, the code is running longer than expected max run-time,
and that is always somewhat alarming.

As you can see, it says in the unpacker javascript evaluation SUSPICIOUS,
so that does not mean malicious per se.

So bide your time until to-morrow as it is near a quarter past eleven in the evening here in old Europe.

EBay infested, would fill some news line on the security forums.
Hope, that is not so and that it is only a glitch in the code.

Have a nice day from here near Rotterdam some 20 kilometers from the North-Sea coast,

polonus (volunteer 3rd party cold reconnaissance website security analyst and website error-hunter)

P.S. In the meantime the analysts of such browser based issues, can read here for backgrounds:
https://www.aldeid.com/wiki/Category:Digital-Forensics/Browser-based-Malwares/JavaScript

Damian
Title: Re: Ebay Login - False Positive???
Post by: Pondus on June 06, 2018, 11:24:18 PM
Quote
I deleted immediately. i am running a boot scan for safety sake.   
Why boot scan?

Boot scan does not give any better detection, it is the same engine and signatures that run. It is a tool meant to be used if you have problems removing a infection


Quote
  I just tried the Ebay login with Internet Explorer, and Avast put an item in the Virus Chest... I deleted immediately.  
So now you can't send it to avast lab for analysis   ::)
Why the rush to delte quarantined items?

Title: Re: Ebay Login - False Positive???
Post by: polonus on June 06, 2018, 11:38:41 PM
Hi Pondus,

As I added there "Do not panic", everything is under control and soon it will be clear if it is code to be quarantined (and then inside the chest, n it cannot do any harm like someone jailed) or it is indeed not the real McCoy and a false positive, and all can give a sigh of relief.  ;D

We shall see what will be the final outcome soon,

polonus
Title: Re: Ebay Login - False Positive???
Post by: DavidR on June 06, 2018, 11:40:12 PM
Quote
I deleted immediately. i am running a boot scan for safety sake.   
Why boot scan?

Boot scan does not give any better detection, it is the same engine and signatures that run. It is a tool meant to be used if you have problems removing a infection
<snip quotes>

Probably because avast suggests running a boot time scan after an alert.
Title: Re: Ebay Login - False Positive???
Post by: The Sniggler on June 06, 2018, 11:46:24 PM
I removed it to get it off my system.... I have not had a virus in the past 15 years and thought removal was best.

I did the boot scan to be absolutely sure there was nothing on my PC. I always thought the boot scan was the most thorough. Thanks for your advise.

It is strange that Avast says that the connection to Ebay is aborted, but I can still log on. So the connection is not cut.

Also, I note that if I clear the notification in Avast the warning does not re-appear. However, if  I reboot and then start over, then the warning will re-appear.

I wish I knew what is going on here... although others have faced this in the past, there is no other current discussion of this anywhere and I have been an Ebay user for many years with no problems. No clue as to what to do with my Ebay listing as I am afraid to log on.

Thanks again.



Title: Re: Ebay Login - False Positive???
Post by: The Sniggler on June 06, 2018, 11:50:36 PM

Have a nice day from here near Rotterdam some 20 kilometers from the North-Sea coast,

Damian

Many,many thanks for your kind words... from your icon, I thought Poland, perhaps.
Title: Re: Ebay Login - False Positive???
Post by: The Sniggler on June 07, 2018, 12:24:59 AM
FWIW, Avast notification says:

Moved rrbundle.flat.min[1].js to Viruschest infected with JS:redirector-BK [TRj]
Title: Re: Ebay Login - False Positive???
Post by: jefferson sant on June 07, 2018, 03:22:36 AM
FWIW, Avast notification says:

Moved rrbundle.flat.min[1].js to Viruschest infected with JS:redirector-BK [TRj]

Hello.

I have already found the file and submitted it here

rrbundle.flat.min[1].js

https://www.virustotal.com/#/file/580bcd36c4ffc5f66642b7823c5d547c71f1b4b48aab27dc8ee0e3ceb0b527be/detection

Avast detects as JS:Redirector-BKG [Trj]

Screenshots detection of the attached

Reported Vírus Lab ~
Title: Re: Ebay Login - False Positive???
Post by: HonzaZ on June 07, 2018, 07:26:40 AM
JS:Redirector-BKG [Trj] was already disabled yesterday, but I am strongly against using obfuscated scripts. Minified scripts are ok, but this specifically was bloated to avoid detection of redirection.
Title: Re: Ebay Login - False Positive???
Post by: Mike706 on November 17, 2018, 11:43:13 PM
I just tried the Ebay login with Internet Explorer, and Avast put an item in the Virus Chest... I deleted immediately. i am running a boot scan for safety sake.

Also tried it on a second machine - Avast ids the threat as before.

Wonder what is going on? Hard to believe the Ebay login is infected and there is no word about it.....


Hello:

I just got the same message from Avast
that this threat was avoided here is the
report:

Threat name: JS:Redirector-BMU [Trj]

URL: https://www.ebay.com/rdr/js/s/rrbundle.flat.min.js

Process: C:\Program Files\Mozilla Firefox\firefox.exe


I tried it on a new computer with Avast
and it turned up the same warning
about this same Redirect.

Is this a false positive?

I was able to logon to ebay and conduct
business as usual but I'm somewhat
worried about this.  I ran Malawarebytes,
SuperAntiSpyware, a number of other
stand alone scanners such as Viper Rescue.
Nothing.  And Avast other than this
warning showed nothing when I did the
suggested scan included with the warning.

Someone please reply.  I'm new here
and never posted before.  I noticed others
on the internet reporting the same exact
same problem when siging in to ebay.

Thanks for any help I love Avast.

Title: Re: Ebay Login - False Positive???
Post by: polonus on November 18, 2018, 12:50:05 AM
This was an earlier analysis of that specific uri:
https://www.hybrid-analysis.com/sample/92f0cef3f180ee7c220e6aab82b0bb8c7a67904d4c4c6f02b5c13a6d18e634e1?environmentId=100
What HonzaZ meant was an anti-detection stealthyness: Creates a resource fork (ADS) file (often used to hide data) 1/67 reputation engines marked "-http://www.ebay.com" as malicious (1% detection rate)
source
External System
relevance
10/10
Various AV will return it as clean, but we see no best policies followed here  :D

polonus (volunteer website security analyst and website error-hunter)
Title: Re: Ebay Login - False Positive???
Post by: rfkco on November 18, 2018, 03:29:26 AM
Posted by: polonus
« on: Nov 17 at 12:50:05 AM »
Quote
Various AV will return it as clean, but we see no best policies followed here

The subject of this thread was "Ebay Login - False Positive???"  So is Avast posting a False Positive?

As an additional protection from java script redirect type malware do you recommend using a browser extension in Firefox like NoScript?  If this malware, JS:Redirector-BMU [Trj], were real, would an extension like NoScript stop it?  The reason I ask is that today with NoScript active, Avast does not flag a threat warning when I get to the Ebay login page.  If I turn NoScript off, Avast flags the threat "We've safely aborted connection to www.ebay.com because it was infected with JS:Redirector-BMU [Trj]."     

Title: Re: Ebay Login - False Positive???
Post by: zdik on November 18, 2018, 11:37:46 AM
Будет ответ то какой?
Аваст, хром, лиса, опера все ругаются на js:redirector-bmu когда пытаюсь авторизоваться
https://www.virustotal.com/ru/file/84b5b0825e844669ff4021a3c5b650f66a0eb6ee23c71c8d9fa461198bceef7c/analysis/1542467129/
Title: Re: Ebay Login - False Positive???
Post by: Asyn on November 18, 2018, 11:41:35 AM
Please post English here, else use the forum section for your language.
-> https://forum.avast.com/index.php?board=21.0
Title: Re: Ebay Login - False Positive???
Post by: polonus on November 18, 2018, 01:28:33 PM
Also consider these scan results: https://webcookies.org/cookies/www.ebay.com/20254066
a -12 security score... also consider: https://webcookies.org/ssl/report/www.ebay.com/15798
Error here: hint #1: 'content-type' header media type value should be 'text/javascript', not 'application/javascript';
Static resources should have a long cache value (31536000) and use the immutable directive: public, max-age=0;
Response should be compressed with Brotli when Brotli compression is requested over HTTPS

But no security implications seen there. Do we have to reackon with an AVG/avast FP in this case?
I see a retirable library here: https://retire.insecurity.today/#!/scan/92018e8cedcf9a9e4204faa410bf76be8a80dac2e5fd8929118a0f0727f6baaf

Domain is not malware free no way: https://www.virustotal.com/#/domain/www.ebay.com

polonus (volunteer 3rd party cold reconnaissance website security analyst and website error-hunter)
Title: Re: Ebay Login - False Positive???
Post by: rfkco on November 18, 2018, 04:44:43 PM
polonus - my apologies.  I did not notice that at the bottom of each of your posts you say "Use NoScript, a limited user account and a virtual machine and be safe(r)!"    Thanks for this advice.
Title: Re: Ebay Login - False Positive???
Post by: polonus on November 18, 2018, 05:12:53 PM
Hi rfkco,

You're welcome. Yep, NoScript and also uMatrix for that matter are solutions that will always work both for present and even for future (3rd party) script threats. Giorgio Maone presented a wonderful tool for us all to keep us much more secure inside the browser.  We all  know that JavaScript can be the royal way into your device's OS for malware, adware, bloatware and potentially unwanted code.

Only if users were more aware of the benefits like we are, it would be much more secure under everyone's browser-hood.

Have a nice day and again thanks for reporting here,  stay safe and secure both offline and online,

polonus
Title: Re: Ebay Login - False Positive???
Post by: zdik on November 18, 2018, 06:13:02 PM
polonus, NoScript plugin for FF blocks ebay
Title: Re: Ebay Login - False Positive???
Post by: DavidR on November 18, 2018, 06:42:36 PM
polonus, NoScript plugin for FF blocks ebay

I don't know why that would be the case. Given eBay is a very high traffic site, that NoScript would want to block.

That said, we would need more details, screenshot or the wording to see why.

I no longer use NoScript (uBlock Origin) so I can't check.  However, you should be able to change NoScript to allow it.  But I wouldn't do that until we find why it is blocked.
Title: Re: Ebay Login - False Positive???
Post by: polonus on November 18, 2018, 10:05:28 PM
Hi DavidR,

I do not use NoScript nor uMatrix in a browser, that I came to appreciate some time ago for it's effectiveness and that is Avast Secure Browser. Whenever for out of the ordinary requests and scanning I browse browsers like Iridium, beaker or Brave.

NoScript and uMatrix also always have been a bit outside the scope of the common browser user, that do not know how and why to toggle such extensions to be secure under all circumstances. I mean to know what main and third-party scripts to block and not allow or not to block and to allow.

Some links from ebay are being blocked for me like: -https://pagead2.googlesyndication.com/pagead/osd.js & -https://pagead2.googlesyndication.com/pagead/osd.js but more as ads are being blocked...

See some of the privacy hick-ups at ebay's: https://privacyscore.org/site/117501/ 

1. See all known 3rd party scripts and known trackers, 24 & 9.
2. Find that server is vulnerable to secure-client-initiated renegotiation,
3. Find that no referrer-policy header is being set.
4. See server is vulnerable to the SWEET32 attack.

Damian
Title: Re: Ebay Login - False Positive???
Post by: DavidR on November 19, 2018, 12:03:14 AM
@  polonus
Off Topic:
Since I can't use Avast Secure Browser on all systems, I won't be installing it on any.  Plus I'm still not a fan of Chrome or chromium based browsers.

Back On Topic:
I certainly wouldn't say NoScript is particularly complex.
I never mentioned uMatrix which is more complex, like the RequestPolicy add-on that I also used in the past.
Title: Re: Ebay Login - False Positive???
Post by: polonus on November 19, 2018, 12:18:52 AM
Hi DavidR,

Agree with you that not having Avast Secure Browser brought to Google-Android for instance is unfortunate, as Brave browser has been brought there, and I use it a lot on mobile's. Even so as Avast Secure Browser is a chromium based browser of sorts.  :D

uMatrix is not particularly complex either, just allow minimal settings to let the page function properly and know what sites to shun.

pol
Title: Re: Ebay Login - False Positive???
Post by: HonzaZ on November 19, 2018, 09:27:22 AM
This is certainly not a false positive, the detection was triggering a redirection script.
However, as this is on ebay, I will let it pass and disable the detection, but if anyone from ebay is reading this, beware that I am strongly against this behavior!
Title: Re: Ebay Login - False Positive???
Post by: solaire on November 20, 2018, 03:27:00 AM
Hmm...As upset as I was about this, If this is the case
We users would want Avast to stand the ground
We also would "strongly object to this behavior"
I hope they lost a lot of money with this. > :-(
Title: Re: Ebay Login - False Positive???
Post by: polonus on November 22, 2018, 01:11:03 AM
To support this above vision, I recently scanned at Zulu Zscaler's, which results agree delivering a VirusTotal Content Check,
that produces a Positives count of 3 with a risk score of 30; all this for the code at
-hXtps://www.ebay.com/rdr/js/s/rrbundle.flat.min.js.

However the above risk grade does not lead to a VT flag by any of the known av-solutions.
A risk score of 30 denotes that application/javascript; charset=UTF-8 here is questionable to say the least,

polonus