Author Topic: False Positive?  (Read 2876 times)

0 Members and 1 Guest are viewing this topic.

Offline Paul McKeown

  • Newbie
  • *
  • Posts: 9
False Positive?
« on: December 01, 2013, 02:20:17 PM »
Accessing the page hxtp://chessarbitersassociation.co.uk/html/laws.html (or any page on that site), causes Avast to alert that a threat has been detected.  It seems to object to hxtp://www.watchmytraffic.com/ ... very long hex number ... /counter.img?theme

However, I contacted the owners of this site, and they reassure me that there is no problem.

Advice, anyone?
« Last Edit: December 03, 2013, 04:11:03 PM by Milos »

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 36541
  • Weihrauch Airguns
Re: False Positive?
« Reply #1 on: December 01, 2013, 03:27:21 PM »
and what does avast say? .... a screenshot of the popup would help

see here under Recent reports on same IP/ASN/Domain (IP 146.255.37.1)  http://urlquery.net/report.php?id=8091021
Three URLs with alerts that use same IP

one With Detected malicious iframe injection  http://urlquery.net/report.php?id=8005613  /  http://sitecheck.sucuri.net/results/sargisknyazyan.com/
Intrusion Detection Systems : two URL found that give Suricata filter alert http://urlquery.net/report.php?id=7878816  /  http://urlquery.net/report.php?id=7697086

the first one is Blacklisted by
http://safebrowsing.clients.google.com/safebrowsing/diagnostic?site=sargisknyazyan.com
http://www.siteadvisor.com/sites/sargisknyazyan.com
http://www.yandex.com/infected?url=sargisknyazyan.com&l10n=en





 



« Last Edit: December 01, 2013, 03:45:29 PM by Pondus »

Offline Paul McKeown

  • Newbie
  • *
  • Posts: 9
Re: False Positive?
« Reply #2 on: December 01, 2013, 09:15:13 PM »
Relevant part of screenshot attached.

You can, of course reproduce this for yourself, simply by opening the URL.

Offline Paul McKeown

  • Newbie
  • *
  • Posts: 9
Re: False Positive?
« Reply #3 on: December 03, 2013, 08:24:49 AM »
Have looked at this more closely.  Basically the page seems to access wxw.watchmytraffic.com.  Any attempt to access wxw.watchmytraffic.com triggers Avast's network shield.  Can't seem to find any information about this site on the web.  Help, please!
« Last Edit: December 03, 2013, 04:11:24 PM by Milos »

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 36541
  • Weihrauch Airguns
Re: False Positive?
« Reply #4 on: December 03, 2013, 08:40:56 AM »
if you think the block is wrong, report it here  http://www.avast.com/contact-form.php  (select subject according to Your case)
you may add a link to this topic in case they reply here


Offline Paul McKeown

  • Newbie
  • *
  • Posts: 9
Re: False Positive?
« Reply #5 on: December 03, 2013, 02:07:02 PM »
Problem resolved.  Site owner has removed the counter.  Avast now happy.

Topic can be closed.

Offline polonus

  • Avast √úberevangelist
  • Probably Bot
  • *****
  • Posts: 32243
  • malware fighter
Re: False Positive?
« Reply #6 on: December 03, 2013, 02:23:57 PM »
I do not know why avast has problems with this site.
General insecurities: https://asafaweb.com/Scan?Url=www.watchmytraffic.com
I think it is the same issue that is being alerted in another thread here for:
apis.google.com/_/scs/apps-static/_/js/k=oz.gapi.US.GHsxhfTekA0.O/m=unsupported/rt=j/sv=1/d=1/ed=1/am=EQ/rs=AItRSTOy15VI10uyl9vKgAUpXrSwJETA/cb=gapi.0 benign

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline Milos

  • Avast team
  • Super Poster
  • *
  • Posts: 2133
Re: False Positive?
« Reply #7 on: December 03, 2013, 04:12:34 PM »
Hello,
on the watchmytraffic.com there are fake Zaccess counters.

Milos

Offline nei1

  • Newbie
  • *
  • Posts: 18
Re: False Positive?
« Reply #8 on: July 28, 2015, 08:30:37 PM »
http://homeopathy-forall.blogspot.com ...

... and all of his webpages.  According to my avast! pop-up warnings, they all have the watchmytraffic counter.

I was able to send the owner of those pages a message about the Zaccess counters using google+.  A little googling shows that Zaccess delivers a backdoor to users' computers that can be used to turn them into zombies.

If he writes back, I'll remember to use the word "Trojan."

Thanks to Milos for specifying what type of danger lurks within watchmytraffic.

Offline polonus

  • Avast √úberevangelist
  • Probably Bot
  • *****
  • Posts: 32243
  • malware fighter
Re: False Positive?
« Reply #9 on: July 29, 2015, 01:41:01 AM »
Hi  Paul McKeown,

On the original website reported there is also rollover.js script vulnerable to code injection via document.writeln etc.
In 2014 an iFrame that seamlessly redirected browsing users to an exploit was buried in one of the Javascript files that were served by the web server specifically at hxxp://www.hatobus.co.jp/js/rollover.js." So such malware schemes are definitely probable (note from me, pol).
With non-properly parsed URLS there onmouseover is XSS-exploitable.
XSS-Dom Results from scanning URL: htxp://chessarbitersassociation.co.uk/assets/rollover.js
Number of sources found: 17
Number of sinks found: 6

polonus (volunteer website security analyst and website error-hunter)

P.S. For the watchmytraffic counter malware read: http://jira.jtalks.org/browse/JC-1553

D
« Last Edit: July 29, 2015, 01:53:38 AM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!