Author Topic: Malware detected during online RosettaStone session?  (Read 14924 times)

0 Members and 1 Guest are viewing this topic.

StupidHuman

  • Guest
Malware detected during online RosettaStone session?
« on: August 27, 2008, 06:59:31 PM »
I have recently started using the on-line version of RosettaStone Spanish (Latin America) and during use AVAST warns and blocks part of the session.

The following is from the AVAST log:

8/27/2008 7:45:39 AM   SYSTEM   1360   Sign of "Other:Malware-gen" has been found in "http://resources.rosettastone.com/rs3/content/data/64/1/64198ec9c24f33bc9e4ea3c2c72d8824d0a85e4c" file. 

Is this a false alarm?
How can I work around it other than to disable AVAST?

Thanks in advance.

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67195
Re: Malware detected during online RosettaStone session?
« Reply #1 on: August 27, 2008, 09:13:03 PM »
Dr. Web returned clean.
Please, edit your link or it will be live to malware or false positive! Use hxxp instead of http.
Maybe you can add the URL to the WebShield exceptions using:
http://resources.rosettastone.com/*
The best things in life are free.

PotatoMan

  • Guest
Re: Malware detected during online RosettaStone session?
« Reply #2 on: August 27, 2008, 11:15:04 PM »
I have recently started using the on-line version of RosettaStone Spanish (Latin America) and during use AVAST warns and blocks part of the session.

The following is from the AVAST log:

8/27/2008 7:45:39 AM   SYSTEM   1360   Sign of "Other:Malware-gen" has been found in "http://resources.rosettastone.com/rs3/content/data/64/1/64198ec9c24f33bc9e4ea3c2c72d8824d0a85e4c" file. 

Is this a false alarm?
How can I work around it other than to disable AVAST?

Thanks in advance.

This is most likely a false positive. avast! detects this and doesn't even have a name. Other.Malware? Definite false positive

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88895
  • No support PMs thanks
Re: Malware detected during online RosettaStone session?
« Reply #3 on: August 28, 2008, 01:04:30 AM »
Sorry but I beg to differ, the malware-gen the -gen indicates generic signatures, which have proven very effective in detecting hacked sites in the past, though that is normally seen as win32:malware-gen or win32:trojan-gen and further analysis of the page has found either iframe tags added to the page or javascript with obfuscated code.

However, that page appears not to be a normal web page.

So I don't think we can make that false positive statement, it needs further analysis. Uploading it to virus total shows this has been scanned before 17/7/2008 and only two AVs detected it, Cat_Quickheal and Nod32, they both detected it as SWF.Exploit (Shock Wave Flash Exploit) which would possibly account for the other:malware-gen name given by avast.

A fresh analysis shows now, avast and GData (uses avast as one of its engines) detection as other:malware-gen with the original two detection still the same swf.exploit.

http://www.virustotal.com/analisis/f452eeb26fda95c2c654638299f744c7

With only 4 (3) of 36 (35) detections on VT it could possibly be an FP and should be sent to avast.

Edit: Sample sent, now we wait.
« Last Edit: August 28, 2008, 01:07:25 AM by DavidR »
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

PotatoMan

  • Guest
Re: Malware detected during online RosettaStone session?
« Reply #4 on: August 28, 2008, 01:47:33 AM »
Sorry but I beg to differ, the malware-gen the -gen indicates generic signatures, which have proven very effective in detecting hacked sites in the past, though that is normally seen as win32:malware-gen or win32:trojan-gen and further analysis of the page has found either iframe tags added to the page or javascript with obfuscated code.

However, that page appears not to be a normal web page.

So I don't think we can make that false positive statement, it needs further analysis. Uploading it to virus total shows this has been scanned before 17/7/2008 and only two AVs detected it, Cat_Quickheal and Nod32, they both detected it as SWF.Exploit (Shock Wave Flash Exploit) which would possibly account for the other:malware-gen name given by avast.

A fresh analysis shows now, avast and GData (uses avast as one of its engines) detection as other:malware-gen with the original two detection still the same swf.exploit.

http://www.virustotal.com/analisis/f452eeb26fda95c2c654638299f744c7

With only 4 (3) of 36 (35) detections on VT it could possibly be an FP and should be sent to avast.

Edit: Sample sent, now we wait.

avast! cannot even identify the malware, and only four Avs detected it, but it isn't a false positive?

Obviously this could be an example of outdated javascript that produced errors, causing a FP.

This is a very common error in avast!, most things that has tools to change system settings is automatically Win32.Trojan-Gen or something else. Hopefully this will be fixed in V5

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88895
  • No support PMs thanks
Re: Malware detected during online RosettaStone session?
« Reply #5 on: August 28, 2008, 02:02:09 AM »
The fact that avast has used the term Other doesn't mean anything in that it can't identify the malware and avast has obviously found it isn't win32: or vbs: or ja:, etc. so they have a group catering for others.

The generic signatures are trying to catch different groups of malware have been catching many hacks and exploits with these generic signatures that others are catching, you only have to do a search for win32:trojan-gen in the forums to see this.

I never said it wasn't a false positive, just that you can't say because there is a limited number of hits that it is a false positive, but that it needed further investigation and that is why I snagged a copy and uploaded it to VirusTotal and posted the results.

And if you read all of my post (which you quoted) I even said it could be an FP and should be sent to avast which I did. So far from saying it isn't a false positive all I have said is that we can't rule out that it isn't a good detection but one that requires further analysis. Nothing more nothing less.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

kubecj

  • Guest
Re: Malware detected during online RosettaStone session?
« Reply #6 on: August 28, 2008, 11:44:15 AM »
Other just means that we don't distinguish between the viral platform. This particular file was suspicious flash file, it was automatically included in the detections. I manually re-evaluated it, and saw it's broken file, so I removed it from the detections and moved into thrash bin.

But DavidR is right. The way how we name the malware has nothing to do with the quality of detection, and there is nothing 'to fix' in v5.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88895
  • No support PMs thanks
Re: Malware detected during online RosettaStone session?
« Reply #7 on: August 28, 2008, 03:09:03 PM »
Thanks, kubecj, I take it this correction will be in the next VPS update (still detected with 082708-0) ?

Not that this will fix the broken file on the site.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

kheldan

  • Guest
Re: Malware detected during online RosettaStone session?
« Reply #8 on: September 03, 2008, 01:30:27 PM »
Same site different false positive?

I`m getting the following from the realtime protection in Avast when going through the online Italian course at rosetta stone...

02/09/2008 2:01:43 PM   SYSTEM   1840   Sign of "SWF:CVE-2007-0071 [Expl]" has been found in "hxxp://resources.rosettastone.com/rs3/content/data/73/2/73245741ded6a46a4e4303c50ec88f6767c4b021" file. 
02/09/2008 2:02:14 PM   SYSTEM   1840   Sign of "SWF:CVE-2007-0071 [Expl]" has been found in "hxxp://resources.rosettastone.com/rs3/content/data/3f/a/3fa2fe1c7a8ac919a2462a1aa872c8e657082a03" file.

I highly doubt this is true, in fact a visit to Rosetta Stone's support site and search for Virus keyword informs you that many virus detection tools in 2007 detected the language files in the CDRom version of the tool as viruses.

What are your thoughts?
« Last Edit: September 03, 2008, 01:37:27 PM by kheldan »

kubecj

  • Guest
Re: Malware detected during online RosettaStone session?
« Reply #9 on: September 03, 2008, 04:00:09 PM »
Checked using the latest version, no detection. Also the files are broken, so there is no guarantee what can we find in them  ::)

kheldan

  • Guest
Re: Malware detected during online RosettaStone session?
« Reply #10 on: September 03, 2008, 05:51:53 PM »
It was showing up yesterday around 2:30PM with yesterday's definition files when going through the course... I'll have to test it later today.

Thanks for the quick repsonse