Author Topic: ssl-hints.netflame.cc - Is it good, or is it whack?  (Read 11994 times)

0 Members and 1 Guest are viewing this topic.

metalbot

  • Guest
ssl-hints.netflame.cc - Is it good, or is it whack?
« on: January 14, 2009, 12:22:51 AM »
So earlier, I loaded http://www.avast.com/eng/download-avast-home.html earlier, to grab the URL to paste in a forum to help some Norton trialware victims.
When I closed it, I saw it was making a request to a URL on the ssl-hints.netflame.cc domain name.
Being a naturally curious person, I looked into that domain and found two things:

- it's part of fireclick.com which Avast appears to use for their web analytics
- it contains this interesting file hxxp://ssl-hints.netflame.cc/Fc/FcPred.class , which freaks Avast out if you try to open it.

So, uh.. what's going on here? Is it a false positive, or is Avast's web analytics provider hosting malware on the side?

For reference, this is what Avast thinks of it:

Code: [Select]
A Virus Was Found!

There is no reason to worry, though. avast! has stopped the
malware before it could enter your computer. When you click on the
"Abort connection" button, the download of the dangerous file will
be canceled.

File name: hxxp://ssl-hints.netflame.cc/Fc/FcPred.class
Malware name: Other:Malware-gen
Malware type: Virus/Worm
VPS version: 090113-1, 01/13/2009

Here's what Virus Total think of the file: http://www.virustotal.com/analisis/2bd0257964b37d65fa03e9eb361d8b3b


Based on that, I'm guessing it's probably a "false positive", but I'd rather let the professionals sort it out.

Thanks,
Henri

*edited to maybe protect the non-avast users in this forum.  :-X
« Last Edit: January 14, 2009, 02:16:55 AM by metalbot »

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67185
Re: ssl-hints.netflame.cc - Is it good, or is it whack?
« Reply #1 on: January 14, 2009, 01:07:47 AM »
Maybe the problem is not a file but an encrypted code in the homepage? ???
Please, do not post live link to malware or false positives in the forum... edit to hxxp for instance.
The best things in life are free.

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 34033
  • malware fighter
Re: ssl-hints.netflame.cc - Is it good, or is it whack?
« Reply #2 on: January 14, 2009, 01:41:33 AM »
Hi Tech,

There is more to it: http://www.collettivamente.com/articolo/956345.html
Kaspersky also finds this as: Trojan-Downloader.Java.Agent.c
Follow the advice given there:
Update to the latest version of SunJava or check using the online Secunia PSI:
http://secunia.com/vulnerability_scanning/online/?task=start

1)    Dump the contents of your IE cache -
        Start --> settings --> control panel --> Internet options -->
delete files

2)    Dump the contents of the Mozilla FireFox Cache { if you use FireFox }
       Tools --> Options --> Privacy --> Cache --> Clear

3)    Dump the contents of your Sun Java cache -
        Control panel --> Java applet --> cache --> clear
          or
        Control panel --> Java applet --> general --> settings -->
delete files

4)    Re-scan your system using your anti virus software,

polonus

Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

metalbot

  • Guest
Re: ssl-hints.netflame.cc - Is it good, or is it whack?
« Reply #3 on: January 14, 2009, 02:57:12 AM »
Ah yes, I forget my manners sometimes. I've updated the suspicious url to use hxxp://.

I've also triggered a more recent analysis through virus total (the first link was over a month old)
The new results are here: http://www.virustotal.com/analisis/1004085aa922a6f4d997b624c862f8b9

The old results had 4 matches, the new ones have 3, so one AV doesn't think this is dangerous anymore.
Also note that Kaspersky does not flag it as dangerous.

All of this seems fairly consistent with a false positive getting slowly fixed in individual AV products.

Another item to look at: http://www.dslreports.com/forum/r18361569-Trojan-or-FP-Bed-Bath-and-Beyond~start=20

Another forum where users wondered what this was and wasn't.


Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 89616
  • No support PMs thanks
Re: ssl-hints.netflame.cc - Is it good, or is it whack?
« Reply #4 on: January 14, 2009, 03:11:38 AM »
Firstly as far as I'm aware avast doesn't use "fireclick.com which Avast appears to use for their web analytics" but uses google-analytics and possibly akamai.net.

I use firefox with NoScript and they are the only ones I see in the main avast.com site. Now I don't know where you gathered the information from but all http traffic on port 80 goes through the avast web shield to be scanned (probably why avast freaked out as you say). So if you see that attributed to the web shield, it is only the localhost proxy filter and not what originated the communication.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free  24.8.6127 (build 24.8.9372.862) UI 1.0.814/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

metalbot

  • Guest
Re: ssl-hints.netflame.cc - Is it good, or is it whack?
« Reply #5 on: January 14, 2009, 05:36:52 PM »
Firstly as far as I'm aware avast doesn't use "fireclick.com which Avast appears to use for their web analytics" but uses google-analytics and possibly akamai.net.

They appear to use both.
Source of http://www.avast.com/eng/download-avast-home.html ,lines 23 to 52:

Code: [Select]
<title>Download FREE antivirus software - avast! Home Edition</title>
<!-- COUNTERS BEGIN -->
<!-- Google analytics start -->
<script src="http://www.google-analytics.com/urchin.js" type="text/javascript">
</script>
<script type="text/javascript">
_uacct = "UA-1405551-1";
_udn="avast.com";
_uhash="off";
_ulink=1;
urchinTracker();
</script>
<!-- Google analytics end -->
<!-- Fireclick, Inc - COPYRIGHT 1999-2008 - Please do not modify this code-->
<script type="text/javascript">
<!--
function handle(){return true;}
window.onerror=handle;
var fc_host='www.avast.com';
document.write('<scr'+'ipt '
+'src="'+((location.protocol=='http:')?'http:':'https:')
+'//a248.e.akamai.net/f/248/5462/3h/hints.netflame.cc/service/sc'+'ript/'+fc_host+'"></scr'+'ipt>');
function fcce(){if (typeof(fcnf)!="undefined") fcnf();}
var fcfn=window.onload;
function fcco(){window.setTimeout("fcce();", 100);fcfn();}
window.onload= null==fcfn ? fcce:fcco;
// -->
</script>
<!-- Fireclick, Inc - COPYRIGHT 1999-2008 - Please do not modify this code-->


In term of network traffic, this seems to mean (beside the script fetch from akamai.net):

Nothing nefarious there, but yes, they do use them, so the irony-meter is still on. ;)


Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 89616
  • No support PMs thanks
Re: ssl-hints.netflame.cc - Is it good, or is it whack?
« Reply #6 on: January 14, 2009, 05:51:16 PM »
Thanks for the update I didn't look at that page just a couple of others and NoScript showed what scripts were on the page.

I can't see why they would have the document write in that form, perhaps to avoid html interpreting the script word so they use 'scr'+'ipt'. I have to admit when I see this I wonder why too.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free  24.8.6127 (build 24.8.9372.862) UI 1.0.814/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security