su2.ff.avast.com - Malicous Website Detected

[elreid1]

I've been battling this for 3 days. Ran numerous virus and malware detection programs to no avail. Finally changed the DNS server of my wireless router to Google 8.8.8.8 and haven't had the popups return as of yet. Running Win7, MWB and Avast Internet Security. Verizon FIOS.

[REDACTED]

It looks like this is a DNS hijack as reported at Malwalebytes.

https://forums.malwarebytes.org/index.php?/topic/172524-marking-su2ffavastcom-as-malicious/


Many have changed their DNS which fixed the problem without disabling Malwarebytes.

Here is a link to change your DNS.
https://developers.google.com/speed/public-dns/docs/using?hl=en

This problem started 3 days ago on two of my laptops. It may be on my desktop but have not found the annoying popup there that is on these.

I tried to contact AVAST, and MALWAREBYTES... what a laugh.

I am in awe of anyone that can do anything technical wise on a computer.

I can't.

For me to change a DNS would be the equivalent of me being able to split an atom.

What I want to know is if I get away from AVAST completely... though I am paid until 2017... and go with Webroot or another, would that solve the problem?

[REDACTED]

I have also changed the dns (to the open one, not google) and that has solved the problem but it was a scary thing to do. First, though, I uninstalled avast and probably won't be coming back since I found another good free antivirus program.

[REDACTED]

Here is a response from Avast in the other thread regarding this.
https://forum.avast.com/index.php?topic=176229.15

Until they update the program you can disable Web Protection or change your DNS settings. Verizon seems to be the ISP with most issues but once I change to Googles DNS or another DNS the pop-ups stopped.

CyberTom
----------------

Re: su2.ff.avast.com
« Reply #28 on: Today at 01:05:30 PM »
Hi All,
there's a legacy piece of code trying to reach obsolete domain su2.ff.avast.com. It wasn't doing any harm up until recently as every DNS server should be reporting that domain as non-existent.

Note this response from Google DNS servers:
Code: [Select]

nslookup su2.ff.avast.com 8.8.8.8
Server:         8.8.8.8
Address:        8.8.8.8#53

** server can't find su2.ff.avast.com: NXDOMAIN


What seems to be happening is this. Some ISPs are possibly using this service www.barefruit.co.uk for returning custom (advertising?) content to many network related errors, like non-existent domains. And MBAM seems to start having issues with this content or a set of IP ranges, reporting it as a malware content.

We'll disable queries to this domain into the next available release which should resolve the problem with this particular non-existent domain. But the other part of the problem lies elsewhere, ISP serving custom content on invalid requests (DNS, HTTP) and MBAM reporting it as malware.

Regards.

[REDACTED]

Well, I got a reply from Malwarebytes regarding this.

They sent me to a link that suggested as others have done to change the DNS.

They also suggested if using Avast to try one of theirs, which I did first.

Then I tried the Google ones they suggested.

NO help for me.......

[polonus]

When one does a DNS scan for the nameserver of su2.ff.avast one gets bad zone: Could not get name servers for 'pns.avast.com'.
See: http://toolbar.netcraft.com/site_report?url=su2.ff.avast.com
See: http://who.is/nameserver/pns.avast.com/
Delegation not found at parent: http://dnscheck.pingdom.com/?domain=pns.avast.com&timestamp=1442139880&view=1
Not enough nameserver information was found to test the zone pns.avast.com, but an IP address lookup succeeded in spite of that.
Re: http://www.tcpiputils.com/browse/ip-address/91.213.143.1
So is there something misconfigured?
Re: https://www.metricsbot.com/nameserver/pns.avast.com/
Also consider my posting here: https://forum.avast.com/index.php?topic=154511.0

Name Server
pns.avast.com is a known Domain Name Server. This server provides name services (DNS) for the following domains:
avast.com -> http://www.dnsinspect.com/avast.com/1442140070
Warning: WARNING: Found stealth name servers:
ns6.avast.com.
sns.avast.com.
This should not be: WARNING: Name servers software versions are exposed:
91.213.143.1: "9.3.6-P1-RedHat-9.3.6-25.P1.el5_11.2" hostname: pns.avast.com
 domain  ISC BIND 9.3.6-25.P1.el5_11.2
Service Info: OS: Red Hat Enterprise Linux; CPE: cpe:/o:redhat:enterprise_linux
Should be updated: https://rhn.redhat.com/errata/RHSA-2014-1984.html
SRPMS:
bind-9.3.6-25.P1.el5_11.2.src.rpm
File outdated by:  RHSA-2015:1706       MD5: 219d9fcc20de4b8ebe01a9014fe8a52b
SHA-256: c6c46ab655778236a30e364d10d4766f69f2858f2da37aa296dfde8a79cb8d38

polonus

[REDACTED]

Re: su2.ff.avast.com
« Reply #30 on: Today at 12:59:53 AM »

    Quote
    Modify

Quote from: JBG on September 11, 2015, 01:05:30 PM

    Hi All,
    there's a legacy piece of code trying to reach obsolete domain su2.ff.avast.com. It wasn't doing any harm up until recently as every DNS server should be reporting that domain as non-existent.

    Note this response from Google DNS servers:
    Code: [Select]

    nslookup su2.ff.avast.com 8.8.8.8
    Server:         8.8.8.8
    Address:        8.8.8.8#53

    ** server can't find su2.ff.avast.com: NXDOMAIN


    What seems to be happening is this. Some ISPs are possibly using this service www.barefruit.co.uk for returning custom (advertising?) content to many network related errors, like non-existent domains. And MBAM seems to start having issues with this content or a set of IP ranges, reporting it as a malware content.

    We'll disable queries to this domain into the next available release which should resolve the problem with this particular non-existent domain. But the other part of the problem lies elsewhere, ISP serving custom content on invalid requests (DNS, HTTP) and MBAM reporting it as malware.

    Regards.


The lastest version of Avast did not seem to fix this issue.   Once I switch back to Verizon dns the pop-ups re-occurred.

[1234ava]

I want someone from Avast to address this issue.  This is silly, the transmittal is coming from their system and is annoying.

I'm not from avast, but an avast user just like yourself - If this is DNS Hijacking as has been suggested on the malwarebytes forum, then this is somewhat different when saying who is at fault.

Are you aware what dns hijacking is, when your computer/browser tries to access a site that is shown in a user friendly/readable form such as su2.ff.avast.com it checks against 'your' DNS server commonly provided by your ISP to get the IP address.

If that DNS has been hijacked then it can return a different IP address, which could be considered malicious. But if it is your ISPs DNS server that has been hijacked then they have to resolve that. This is why not everyone is effected by this and why the suggestion to change your DNS server resolves this problem, when nothing has changed in avast.

So it isn't as clear cut as you might think.

I don't use MBAM *Pro*, but I think MBAM correctly reports DNS redirection because it is suspicious, even though in this particular case it is not due to malicious activity but, partially, to mere sloppiness on Avast's side ("the use of a hostname that does not resolve (and hasn't done for months)," https://forums.malwarebytes.org/index.php?/topic/172548-infected-by-su2ffavastcom-ip-9224214021-dns-hijacking/?p=988597 ), and to some ISP's policies (hijacking invalid requests and redirecting to unrelated sites).

I am happy I use OpenDNS anyway

[bob3160]

Avast has already mentioned that the fix for this was too late for the current new release
and probably will not be included till Avast 2016 is released.