HTML:Script-inf false positive?

[Sajor]

Hi all;

When visiting a Saturn car forum (hxtp://wxw.saturnfans.com/forums/)  I (and everyone else on the site) keep getting the following message:

Infection DetailsUR: htxp://wxw.saturnfans.com/forums/
Process:   C:%5CProgram Files%5CMozilla Firefox%5Cf...
Infection: HTML:Script-inf

It happens with IE, Opera, and Firefox

Now, other people using various other anti virus software do not get any kind of warning.

I visited the site on a test machine with the AVS off, and then ran a scan to see if an infection was present. Malawarebytes, TDSSKiller, Norton, and AVG found nothing. Avast found "HTML:Script-inf" in two of the trash caches for Firefox.

I seem to remember that last year Avast had an issue with "HTML:Script-inf" false positives, and apparently people on other forums are seeing the same problem again.

Is there some way to get someone from Avast to take a look at this?

I like the product and would hate to have to change AVS.

[!Donovan]

Hi Sajor,

First, please modify your post by changing all links from http:// to hXtp:// to avoid accidental clicks by the unaware.

[Sajor]

So, no idea who can check / verify this? Anyone?

[DavidR]

The source code on the home page of the forums folder has a suspect script tag.

Whilst many other scanners com up clean, there is what I believe to be an injected script (image1)leading to a site considered malicious by avast, see image2, click to expand.

So it looks like the forum may have been hacked.

If you try a forum search for gate.php you will see similar detections.

[polonus]

DavidR is right, what is detected is found at line 1295: htxp://www.cloud-jscript.com/gate.php
a code insertion directly into the web page with OpenX market adware - malicious Trojan rootkit
Users infected with this malware need assistence from a qualified malware remover,

polonus

[psw]

DavidR is right, what is detected is found at line 1295: htxp://www.cloud-jscript.com/gate.php
a code insertion directly into the web page with OpenX market adware - malicious Trojan rootkit
Users infected with this malware need assistence from a qualified malware remover,

Are you sure? The single line of JS-code which can be downloaded from this addr, looks fine. Probably it is the code for banner display. E.g. sucuri scanner considered this addr as clean.

[!Donovan]

DavidR is right, what is detected is found at line 1295: htxp://www.cloud-jscript.com/gate.php
a code insertion directly into the web page with OpenX market adware - malicious Trojan rootkit
Users infected with this malware need assistence from a qualified malware remover,

Are you sure? The single line of JS-code which can be downloaded from this addr, looks fine. Probably it is the code for banner display. E.g. sucuri scanner considered this addr as clean.

The suspect site's IP has hosted malware in June. Do you need more information?

[DavidR]

If you check the IP you will find a host (excuse the pun) of similar domain names on that IP. All of which also use the same gate.php.

[psw]

But this behaviour looks quite reasonable for displaing banner in some centralize way.
So I temporary turn off my Avast, use download manager for downloading content from this addr. I got 1 line JS-code, which defines and calls SecBanner["init"] function.
I don't see in the code nothing suspictious. The only one is that all 5 strings were coded via the hexadecimal, not via plain ASCII. But it is not a crime, I think.

P. S. Probably, this site is rather attractive target for hacking (due to construction of banner net). But I don't see any direct danger.

[SafeSurf]

If you turned off Avast to do this, then I'd check your machine for malware. 

[psw]

Dwonload manager can not execute any script, it got some piece of plain text and store it into the disk file. Virtually it is absolutely equivalent to writing some piece of code by hands (e.g. in the Notepad). Are you really checking your pc after writing every word in your favorite editor?

P.S. Probably it will be quite enough to turn off temporary Network Shield only (this shield really blocks access to the url for every program).

[mchain]

Dwonload manager can not execute any script, it got some piece of plain text and store it into the disk file. Virtually it is absolutely equivalent to writing some piece of code by hands (e.g. in the Notepad). Are you really checking your pc after writing every word in your favorite editor?

P.S. Probably it will be quite enough to turn off temporary Network Shield only (this shield really blocks access to the url for every program).

If you turned off Avast! to get to the site, why have it on your system?      Avast! does protect against unseen dangers while surfing the internet. 

I definitely would have my system checked for malware after I did this, and after I was told by the top-of-the-line web malware experts here that the site I visited was infected, and I would do it right away.  Pondus, Polonus, et al, put their systems on the line for users like you every day, so users like us are have greater protection with Avast! than we would otherwise. 

We are here to help you, not to judge.

[polonus]

Hi mchain,

Well actually Pondus and polonus and others here always take no more than very calculated risks.
Whatever we do is done with utmost care, most of the scanning is third party scanning and then we will never actually go to the infected site
('cause some malcode could "broil over").
If we use a file viewer or mazilla we do this  under special security settings (sandboxed and scripts blocked).
But these situations are rare and far in between and most is done through totally safe "cold reconnaisance".

We have a lot of online scanners to our disposition: urlquery (html and IDS emerging threats and snort), urlvoid, virustotal meta, zulu zscaler,
Brightcloud, sucuri (script malware), malekal, wepawet, anubis, specific script scanners, malicious iFrame scanning services, de-obfuscatiion tools
(!Donovan's expertise really), malware searchlore, (my kettle of fish) etc. etc.
All important finds are reported to virus AT avast dot com. Undetected malcode further reported to zulu Zscaler (feedback) and DrWeb;s url checker etc.

After every browser session I do a full browser scan.

It is tedeous work, but it brought lots of worthwile and interesting insight and created a lot of mutual inspiration for those that were into it.
But the most important issue here is to enhance avast detection in many respects. If I see that later it is rather rewarding....
Stay safe and secure online is the wish of,

polonus

[Sajor]

Thank you guys.

I did scan the site and all I came up with was a couple of links, one direct to freshporngallerys and one indirect to the same site through cloud-jscrip. I didn't see any actual script or code being downloaded that can be described as an attack of any kind though. Looks more (to me) as if ad #1 is being hosted at freshporn and it looks like it has a 30sec refresh / keep alive command. Maybe the people from freshporn are simply out to generate hits to their site through the ad. One hit every 30 sec per person checking the forums adds up pretty quickly, and since those sites get payed per hit... I would call it immoral, but not a security concern.  Anyone else agree?

[DavidR]

The problem is remote content can be changed in seconds, so you never realise what the payload might be.

We can't answer that, avast is essentially seeing a script which it believes have been inserted into that page and one that goes to a site which it considers malicious. We certainly can't give any assurance that it is not a security concern.

Only the webmaster of the Saturn car forum can say it that script is legit, e.g. he put it there.