Author Topic: False Positive on Wiggio Website? (Read 4497 times)

KDibble · « **on:** April 30, 2014, 04:02:49 PM »

Today several computers at our location have had access to the Wiggio shared calendar website blocked by Avast.

The warning is attached. It's from a Firefox session on Win 7 but it also occurs in IE on Win XP.

This is definitely a legitimate website, used by several people. This problem did not occur before today.

I certainly do not want to tell people to use the website if it's been compromised, but a web search does not indicate anything about such an event. So I need to know if this is a false positive as soon as possible.

EndPoint Protection Suite version 8.0.1603 (with SOA 1.3.3.35)
Virus Definitions version 140430-0

Thank you.

Michael (alan1998) · « **Reply #1 on:** April 30, 2014, 05:36:37 PM »

See my post in this topic about that website....

Michael (alan1998) · « **Reply #2 on:** April 30, 2014, 05:37:48 PM »

My post:

Quote from: Michael (alan1998) on April 30, 2014, 05:35:00 PM

Quote from: KDibble on April 30, 2014, 03:44:13 PM
I'm getting this on the Wiggio calendar website also; it just started today.

http://wiggio.com

Produces:

TROJAN HORSE BLOCKED

Object: http:/.../wiggio-in.jgz?lastmod=20140429161

Infection: JS:Decode-BUL [Trj]

People here have been using this website for shared calendar activity for weeks. It's definitely a legitimate website.

I will post this separately as a query on "False Positive on Wiggio Website?".

I think your site is a FP.

However, check this is on th ASN.. http://urlquery.net/report.php?id=1398869423234

THe report on the Download is 13/51 Malicious. https://www.virustotal.com/en/file/77547470097e7d4537eb8adaa06f5c38db81436be96158d5377c09d7f6b24fc9/analysis/1398832706/

No other reports on wiggio.com.

KDibble · « **Reply #3 on:** April 30, 2014, 06:00:51 PM »

Thank you.

I don't understand your reference to "the download" though. I don't see any option to download anything on the wiggio.com page. Avast appears to be detecting a script, which it blocks. The site then displays a message stating that "there was a problem loading a necessary script file".

But if there's something that can be downloaded there that is a threat I definitely want to know about it.

Pondus · « **Reply #4 on:** April 30, 2014, 06:03:48 PM »

killmalware report http://killmalware.com/wiggio.com/

virustotal
https://www.virustotal.com/nb/file/080bbd724f26b0368f3aee9e3c4f6d8239f0a0d56e3b88e7a1612b1265a9b878/analysis/1398877784/

Michael (alan1998) · « **Reply #5 on:** April 30, 2014, 06:06:34 PM »

It might be a legit detection. I don't know a hole lot about Java Exploits.

I'll ask Pol to take a look.

polonus · « **Reply #6 on:** April 30, 2014, 07:28:18 PM »

Hi Michael,

There is iFrame malware flagged on site:
Suspicious

blank dot html' *
noop dot html' **
noop dot html'

" Security issue with IFrame based HTML hosting. This results in serious issues with the IFrame staying on top and obscuring important pop-ups.
the iFrame is hidden temporarily while the pop-up is dismissed. Impact is Cross Domain Information Disclosure Vulnerability. A malicious site may be able to modify the iframe of a site in an arbitrary external domain. Attackers could exploit this to gain access to sensitive information that is associated with the external domain. Other attacks are also possible, such as executing script code in other browser security zones. info credits SecurityFocus - mozilla,

** Funny that Web Security scan finds the iFrame flag on the no-op tag, used in assembler-level programming as filler for data or patch areas,
No-op tag could for instance be used to mark out the start and end of a chunk of HTML to be Ajaxed

https site seems OK: http://toolbar.netcraft.com/site_report?url=https://wiggio.zendesk.com
This external link also been checked: htxps://itunes.apple.com/us/app/wiggio/id424059394?mt=8

Scan for uri as given malicious: http://zulu.zscaler.com/submission/show/6be9191a38118fc874c468728c1b9fcc-1398877896

Malware could be a generic worm detection but also riskware. Reason also to concluse a false positive detection.

Damian

Michael (alan1998) · « **Reply #7 on:** April 30, 2014, 07:30:01 PM »

Quote from: polonus on April 30, 2014, 07:28:18 PM

Hi Michael,

There is iFrame malware flagged on site:
Suspicious

blank dot html' *
noop dot html' **
noop dot html'

" Security issue with IFrame based HTML hosting. This results in serious issues with the IFrame staying on top and obscuring important pop-ups.
the iFrame is hidden temporarily while the pop-up is dismissed. Impact is Cross Domain Information Disclosure Vulnerability. A malicious site may be able to modify the iframe of a site in an arbitrary external domain. Attackers could exploit this to gain access to sensitive information that is associated with the external domain. Other attacks are also possible, such as executing script code in other browser security zones. info credits SecurityFocus - mozilla,

** Funny that Web Security scan finds the iFrame flag on the no-op tag, used in assembler-level programming as filler for data or patch areas,
No-op tag could for instance be used to mark out the start and end of a chunk of HTML to be Ajaxed

https site seems OK: http://toolbar.netcraft.com/site_report?url=https://wiggio.zendesk.com
This external link also been checked: htxps://itunes.apple.com/us/app/wiggio/id424059394?mt=8

Scan for uri as given malicious: http://zulu.zscaler.com/submission/show/6be9191a38118fc874c468728c1b9fcc-1398877896

Malware could be a generic worm detection but also riskware. Reason also to concluse a false positive detection.

polonus

Ta, hopefully the site removes the iFrame

KDibble · « **Reply #8 on:** April 30, 2014, 07:39:43 PM »

Thank you folks.

KDibble · « **Reply #9 on:** April 30, 2014, 07:48:35 PM »

But it occurs to me to ask:

We have been using this website with Avast here for several months but today was the first time Avast displayed a warning about it. Is it possible to know whether this is because something on the website changed, or did something in Avast change since yesterday?

That would help me to decide whether to permit access to it; if it's only Avast that changed, then I would presume the site is as safe today as it was yesterday.

Thanks for all your help.

Pondus · « **Reply #10 on:** April 30, 2014, 08:23:02 PM »

Quote

We have been using this website with Avast here for several months but today was the first time Avast displayed a warning about it. Is it possible to know whether this is because something on the website changed, or did something in Avast change since yesterday?

whats clean today....can be hacked tomorrow $:-\$

Every 3.6 seconds a website is infected http://www.scmagazine.com/every-36-seconds-a-website-is-infected/article/140414/

Sucuri blog http://blog.sucuri.net/

polonus · « **Reply #11 on:** April 30, 2014, 11:05:56 PM »

@KDibble,

With a variant on what Pondus stated in his above posting:
"And what was being blocked to-day can become unblocked via the next virus update."

Glad to announce the site is no longer being blocked by avast!

polonus

KDibble · « **Reply #12 on:** May 01, 2014, 03:37:25 PM »

Thank you very much!

Based on everything I read, it appears the primary reason for the block was "riskware", which, while a good thing to be aware of, is not, in my opinion, a sufficient reason for blocking a site.