I keep getting the identical "threat detected warning"

[REDACTED]

Thanks.  I will wait a day or two to see if the messages stop coming and then I'll continue with my own post if necessary.

[REDACTED]

I was asked about this and visited-refreshed Drudge using both Firefox and Chrome and received the same Avast error.  I viewed the source and was like wow, talk about allot of Ad and tracking scripts being loaded from many 3rd party non-Drudge sites.  That cannot be good if you care about privacy and raises your risk of infection.  This is why I recommend to people to use aggregators and sites like newslookup that host all content locally without tracking.

With that said I took a look at the source and at least found part of the code that triggers the alert.

Code: [Select]

<script type="text/javascript" src="http://cdn.intermarkets.net/u/Intermarkets/DrudgeReport/drudgereport_targeting.js"></script>

contains this line:

Code: [Select]

document.write('<scr' + 'ipt type="text/javascript" src=\'http://neo.go.sonobi.com/trinity.js?key_maker=' + JSON.stringify(associations) + '\'></scr' + 'ipt>');

neo.go.sonobi.com in the code above will sometimes resolve to 54.191.159.30.  I downloaded the trinity.js file and at the moment I downloaded it from that IP it only contained the following code. (to be safe do not try downloading this, I performed the download outside the browser in isolation)

Code: [Select]

sbi_trinity={};sbi_dc='aws.';
// 0.000019 -6.37

So this is triggering avast or it is triggering something else in the script that triggers avast or at the time I download trinity.js the offending malware was absent.

I suspect the problem appears not only with drudge but will happen if you visit other sites that use sonobi.com Ad technology when the trinity.js file resolves to 54.191.159.30.  For example I tried another site that uses Sonobi Ad servers today and received the same message.  Perhaps that one sonobi ip is hosting malware since the error is not consistent with other sonobi.com ip's.

[Pondus]

So this is triggering avast or it is triggering something else in the script that triggers avast or at the time I download trinity.js the offending malware was absent.

If avast say URL:Mal it means URL or IP is blacklisted for whatever reason


trinity.js
https://www.virustotal.com/nb/file/6045685ea0f2b49ecd3ae53362013b3bec324deff62c935bc00f90ea727449e4/analysis/1414606542/

[REDACTED]

Avast does say URL:Mal.  So it sounds like the one IP that neo.go.sonobi.com resolves to is blacklisted and not neo.go.sonobi.com.  That would explain why the error is intermittent only occurring when neo.go.sonobi.com resolves to IP 54.191.159.30.   The only doubt I would have there is if the script was not always loading on each refresh but I think it is.

[bgranat]

Why does whois.com say the IP belongs to Amazon.com? I posted the information yesterday.

I just opened Drudge and it didn't happen.

[REDACTED]

It is Amazon's cloud hosting which likely sonobi is a customer.   The alert will only happen when neo.go.sonobi.com resolves to that IP.  There are several other IP's assigned to neo.go.sonobi.com.

[bgranat]

All right; I'm not entirely clear on this, but is it possible this is an innocent error, or is sonobi a bad player? If the former, can the company be notified and fix what's wrong with its coding?

[REDACTED]

It was put on the list because that IP address was at one time and likely still is serving malware.  If it was not sonobi malware or their server was not hacked, it could be one of the other websites being hosted on that IP.  It looks like there are 6 other spammy looking web domains hosted on that IP address that come up as serving malware.

The whois owner of those odd domains are hidden but I think it is unlikely they are owned by Sonobi and likely are spammer-hacker domains.  The domains names are just as random mix of numbers and letters that is typical of a spammer-hacker. 

Does not say allot about Sonobi that they are hosting customer Ads on shared hosting nor their clients that are putting their customers at risk.

[bgranat]

In other words, we can never find out what's really going on but can only clean our systems?

[bob3160]

In other words, we can never find out what's really going on but can only clean our systems?

If you've properly submitted this to Avast and they determine it's a false positive,
the site in question should be accessible after the next VPS update.
If the site is infected or blocked for various reasons, the site needs to be cleaned and resubmitted
for a new analysis before access to the site would be allowed.

[REDACTED]

In other words, we can never find out what's really going on but can only clean our systems?

As you described and I demonstrated, Avast blocked that URL which was being called from the website you were visiting.  I really do not see how you were infected but I understand the concern since what if Avast missed something.  When I downloaded the javascript I see no code unless it is buried somewhere else or loading intermittently directly from that server making it difficult to find.

There is probably allot of Avast users that are intermittently getting this error when they visit Drudge or any website using sonobi.com for Ads that happens to hit that particular sonobi IP to load an Ad.   Even if the javascript is no longer infected and Avast clears it I would be concerned visiting a site that loads Ads from a server that is shared with hackers/spammers.

[bgranat]

Thanks for your thoughts, Michael!