Author Topic: Trojan Problem with blogger  (Read 13557 times)

0 Members and 1 Guest are viewing this topic.

farelo

  • Guest
Trojan Problem with blogger
« on: August 28, 2012, 02:57:17 PM »
Hi I have a blog and when I enter the option menu of the blogger, I miss a warning. the aforementioned is:
How I can fix it?

Thanks in advance and sorry for my English

true indian

  • Guest
Re: Trojan Problem with blogger
« Reply #1 on: August 28, 2012, 03:03:01 PM »
detection was added in latest update:http://www.avast.com/virus-update-history

can u test your site at urlquery.net

farelo

  • Guest
Re: Trojan Problem with blogger
« Reply #2 on: August 28, 2012, 03:11:38 PM »
detection was added in latest update:http://www.avast.com/virus-update-history

can u test your site at urlquery.net

In urlquery.net not detect alerts and benign zulu.zscaler.com gives me 40/100

urlquery:
         http://urlquery.net/report.php?id=148940
zulu.zscaler:
         http://zulu.zscaler.com/submission/show/5e94889f13bbdf98acc670db915542d2-1346157096

How I can do so I would not skip the notice if it was a false positive? or if it's a real positive as solved.
Thanks again.

CharlesZdh

  • Guest
Re: Trojan Problem with blogger
« Reply #3 on: August 28, 2012, 03:39:15 PM »
This is most likely a false positive, I am a web developer and have been using Telerik products for years, there is no way that they contain trojans. Telerik provide professional class developer tools for web (and other) applications.

Also, it seems like Avast only has this false positive in Firefox. I have been checking my production websites in Chrome and IE8+, no trojans detected.

PLEASE AVAST PROVIDE QUICK UPDATE  before our customers start complaining. Telerik products are WIDELY used in web development and having a false positive in such a context is not a good thing AT ALL.

true indian

  • Guest
Re: Trojan Problem with blogger
« Reply #4 on: August 28, 2012, 03:45:25 PM »
Its may be correct detection..this is may be malicious appendchild/a child HTML malware

blogger.com/static/v1/layouts/3994510508-layouts.js suspicious
[suspicious:5] (ipaddr:74.125.45.191) blogger.com/static/v1/layouts/3994510508-layouts.js
     status: (referer=http:/twitter.com/trends/)saved 194440 bytes f6833646b30ebc2bb9117decccebd04153441b52
     info: ActiveXDataObjectsMDAC detected Microsoft.XMLHTTP
     suspicious: MSIEUseAfterFreePeersDll CVE-2010-0806 detected
     info: [img] blogger.com/static/v1/layouts/images/joiner.png
     info: [img] blogger.com/static/v1/layouts/images/
     info: [decodingLevel=0] found JavaScript
     info: DecodedMsg detected /info.ActiveXObject MSXML2.XMLHTTP.6.0
     info: [decodingLevel=1] found JavaScript
     info: file: saved blogger.com/static/v1/layouts/3994510508-layouts.js to (f6833646b30ebc2bb9117decccebd04153441b52)
     file: f6833646b30ebc2bb9117decccebd04153441b52: 194440 bytes
     file: c5104ee84372a98f27b6a30bbc4c8af9a0ed210e: 735 bytes
« Last Edit: August 30, 2012, 12:16:47 PM by true indian »

CharlesZdh

  • Guest
Re: Trojan Problem with blogger
« Reply #5 on: August 28, 2012, 03:49:51 PM »
Its correct detection..this is a malicious appendchild/a child HTML malware

blogger.com/static/v1/layouts/3994510508-layouts.js suspicious
[suspicious:5] (ipaddr:74.125.45.191) blogger.com/static/v1/layouts/3994510508-layouts.js
     status: (referer=http:/twitter.com/trends/)saved 194440 bytes f6833646b30ebc2bb9117decccebd04153441b52
     info: ActiveXDataObjectsMDAC detected Microsoft.XMLHTTP
     suspicious: MSIEUseAfterFreePeersDll CVE-2010-0806 detected
     info: [img] blogger.com/static/v1/layouts/images/joiner.png
     info: [img] blogger.com/static/v1/layouts/images/
     info: [decodingLevel=0] found JavaScript
     info: DecodedMsg detected /info.ActiveXObject MSXML2.XMLHTTP.6.0
     info: [decodingLevel=1] found JavaScript
     info: file: saved blogger.com/static/v1/layouts/3994510508-layouts.js to (f6833646b30ebc2bb9117decccebd04153441b52)
     file: f6833646b30ebc2bb9117decccebd04153441b52: 194440 bytes <<----Malicious!!!
     file: c5104ee84372a98f27b6a30bbc4c8af9a0ed210e: 735 bytes

I beg to differ, how is this a malware. It is an advanced and fully featured HTML editor used by A LOT of websites/companies.
Detecting a Trojan on this IS a false positive.

http://demos.telerik.com/aspnet-ajax/editor/examples/default/defaultcs.aspx

true indian

  • Guest
Re: Trojan Problem with blogger
« Reply #6 on: August 28, 2012, 03:52:46 PM »
According to me its malicious..Anyway virus analyst is informed..he will give feedback on this

CharlesZdh

  • Guest
Re: Trojan Problem with blogger
« Reply #7 on: August 28, 2012, 04:06:25 PM »
"saved blogger.com/static/v1/layouts/3994510508-layouts.js" might be malicious, don't know don't care, but Telerik's JS files used for the HTML editor are definitly not malicious and Avast is having a false positive on this.

This editor is widely used, on many blog providers, CMS, etc...
True indian, can you provide any information about the file being detected as malicious on the link I provided you ? being in contact with Telerik support, this might help getting things fixed.

farelo

  • Guest
Re: Trojan Problem with blogger
« Reply #8 on: August 28, 2012, 04:07:52 PM »
Its correct detection..this is a malicious appendchild/a child HTML malware

blogger.com/static/v1/layouts/3994510508-layouts.js suspicious
[suspicious:5] (ipaddr:74.125.45.191) blogger.com/static/v1/layouts/3994510508-layouts.js
     status: (referer=http:/twitter.com/trends/)saved 194440 bytes f6833646b30ebc2bb9117decccebd04153441b52
     info: ActiveXDataObjectsMDAC detected Microsoft.XMLHTTP
     suspicious: MSIEUseAfterFreePeersDll CVE-2010-0806 detected
     info: [img] blogger.com/static/v1/layouts/images/joiner.png
     info: [img] blogger.com/static/v1/layouts/images/
     info: [decodingLevel=0] found JavaScript
     info: DecodedMsg detected /info.ActiveXObject MSXML2.XMLHTTP.6.0
     info: [decodingLevel=1] found JavaScript
     info: file: saved blogger.com/static/v1/layouts/3994510508-layouts.js to (f6833646b30ebc2bb9117decccebd04153441b52)
     file: f6833646b30ebc2bb9117decccebd04153441b52: 194440 bytes <<----Malicious!!!
     file: c5104ee84372a98f27b6a30bbc4c8af9a0ed210e: 735 bytes

If I delete it as malicious because I'm a little lost

david_biggins

  • Guest
Re: Trojan Problem with blogger
« Reply #9 on: August 28, 2012, 04:33:11 PM »
Just to confirm, I've seen "new" blacole (av and c) reports now on two separate websites, including the McAfee user forum at

https://community.mcafee.com/thread/47670

Detection of this only started with today's signatures.   

I have visited both sites on machines running the Microsoft AV, and it's not giving either as having this infection, despite the fact that it is not new malware.

And on one, where I have access to the site content,  I've done full scans with two more AVs without getting a report.

So unless McAfee can have malware on their own forum for at least six hours without noticing, I have to say that I rather suspect it's a false positive.   

If it is, you need to get an update out fast, because the Telerik component is indeed used on a LOT of websites.

Mind,  if Telerik have let out an infected release,  they are the ones going to need a very rapid update,   and a number of other AV companies need to get their acts together on detection.

Best regards

D.

CharlesZdh

  • Guest
Re: Trojan Problem with blogger
« Reply #10 on: August 28, 2012, 04:38:42 PM »
Just to confirm, I've seen "new" blacole (av and c) reports now on two separate websites, including the McAfee user forum at

https://community.mcafee.com/thread/47670

Detection of this only started with today's signatures.   

I have visited both sites on machines running the Microsoft AV, and it's not giving either as having this infection, despite the fact that it is not new malware.

And on one, where I have access to the site content,  I've done full scans with two more AVs without getting a report.

So unless McAfee can have malware on their own forum for at least six hours without noticing, I have to say that I rather suspect it's a false positive.   

If it is, you need to get an update out fast, because the Telerik component is indeed used on a LOT of websites.

Mind,  if Telerik have let out an infected release,  they are the ones going to need a very rapid update,   and a number of other AV companies need to get their acts together on detection.

Best regards

D.

I had Telerik support on phone, they hope they can send us a fix within 24h, wether or not this is a false positive. However, maintain this is a false positive and expect at least a response from AV companies to confirm / decline it.

farelo

  • Guest
Re: Trojan Problem with blogger
« Reply #11 on: August 28, 2012, 04:53:30 PM »
thank you all, we will continue waiting for a solution, let me avast telephone on hold and never go through a telemarketer

david_biggins

  • Guest
Re: Trojan Problem with blogger
« Reply #12 on: August 28, 2012, 04:55:42 PM »
I had Telerik support on phone, they hope they can send us a fix within 24h, wether or not this is a false positive. However, maintain this is a false positive and expect at least a response from AV companies to confirm / decline it.

Useful, thanks Charles.   

D.

Offline Milos

  • Avast team
  • Super Poster
  • *
  • Posts: 2293
Re: Trojan Problem with blogger
« Reply #13 on: August 28, 2012, 05:03:27 PM »
Hello,
it's FP, fix is just releasing.

Milos

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: Trojan Problem with blogger
« Reply #14 on: August 28, 2012, 05:09:53 PM »
Thanks Milos, no actual malware then, but the issue has not completely subsided,
jsunpack flags the code for  CVE-2010-0806 for what that is worth, but I felt I had to report this
See how it is being flagged when analyzing the website code for layouts.js:

blogger dot com/static/v1/layouts/3994510508-layouts.js suspicious
[suspicious:5] (ipaddr:74.125.130.191) blogger dot com/static/v1/layouts/3994510508-layouts.js
     status: (referer=http:/twitter dot com/trends/)saved 194440 bytes f6833646b30ebc2bb9117decccebd04153441b52
     info: ActiveXDataObjectsMDAC detected Microsoft.XMLHTTP
     suspicious: MSIEUseAfterFreePeersDll CVE-2010-0806 detected
The vulnerability, see: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0806
is under review and now has the status of "candidate"
So there is still an issue there for exploitability with CSRF,

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!