High Chance this is a False Positive at the Crunchyroll Website.

[Solemn]

Well as the title says, there's a high chance this is a false positive.  I get this warning message when I visit the site saying a part of the site's scripts has been verified as a virus.  The screenshotted image of the alert message is attached.  I reported this as a false positive through that tool but I figure for good measure I'd post here too just to get some further clarification if I'm correct.

I've visited that site for ages now and have never had an issue with anything, plus the fact that link scanners continue to view it as safe/clean.  The website is pretty straight forward: hxxp://www.crunchyroll.com/ and is a site mainly to legitimately stream videos off of.  There are some ads there but I have adblocking addons + scriptblocking addons as well that solve that issue.

I did full scans with Malwarebytes and Avast! and found nothing too, but that may also be because the real-time protection blocks it before it even gets on my computer.  Any feedback would be great!

[evilfantasy]

This domain is listed in the hpHOSTS blacklist. Website's in this database should be viewed with extreme caution.

http://vurl.mysteryfcm.co.uk/default.asp?url=http%3A%2F%2Fwww.crunchyroll.com&btnvURL=Dissect&selUAStr=1&selServer=2&ref=&cbxSource=on&cbxBlacklist=on

[spg SCOTT]

Hi Solemn,

Avast is alerting to a javascript (highlighted in image) file withing that website. Generally the detection is very accurate and is increasingly more common, with many legitmate sites being hacked.

I did full scans with Malwarebytes and Avast! and found nothing too, but that may also be because the real-time protection blocks it before it even gets on my computer.  Any feedback would be great!

You are right here, stopped before there was even a threat -- you just gotta love avast

-Scott-

[DavidR]

Hard to say as it is a packed javascript file that is being detected and ordinarily the web shield has been good in finding this type of thing.

27/06/2009   20:04:25   1246129465   SYSTEM   1452   Sign of "JS:Pdfka-KT [Expl]" has been found in "hXXp://static.ak.crunchyroll.com/js/20090617162000.9e15cf5400673a3c585209bcdcd3023f/php.default.min.js\{gzip}" file.  

This is further complicated by php, which if not the latest version it could be exploited also.

I submitted the file to virustotal and only avast anf gdata (which uses avast as one of its two scanners), so it could possibly be an FP. but there are so few scanners that are even capable of looking for this much less detecting it. http://www.virustotal.com/analisis/8ff1d678daea4841ac04a211d8a5e031eb5fd8bf04208c62bb13796eef821c0b-1246130017

I have also submitted it to avast for analysis.

[Solemn]

Interesting to see it on a blacklist as again it is a site that hasn't given me problems before (or for that matter I haven't heard anything bad about it over these past years). And yeah, I do love the fact that avast manages to let me load the rest of the site and blocks that particular script only.   I think the reason why it got through was because I had enabled noscript to only allow that particular site's main set of scripts (and I suppose this is part of it).  Disabling it would completely remove the ability of streaming videos so I had to make a compromise I guess.

Anyway thanks for the fast input on this one (and the upload to avast! I wasn't 100% sure how to do that with a script)--perhaps I was wrong to say this is a high chance of being a FP? There is a possibility things could've been hacked there as I wouldn't call it the most securely managed streaming site.

[polonus]

Hi Solemn,

They apparently working on the page because (Level: 1) Url checked: (script source)
hxtp://static.ak.crunchyroll.com/js/20090617162000.9e15cf5400673a3c585209bcdcd3023f/colorpicker.js
Blank page / could not connect etc.
No ad codes identified

polonus

[Solemn]

Thanks for that bit of info Polonus, this actually makes it a bit clearer as to what is going on here.  I'm not sure if it got hacked but I have noticed there've been times where they actively work on the site without really announcing maintenance times.  The strange thing is it didn't look like much changed during my brief recent stay over there.

Interesting developments!

[Solemn]

Alright, just updated to the latest signatures from avast and I'm happy to say I get no such warning message anymore from going to the website! The news of what was added according to the VPS history seems to simply add more definitions to the database although I suspect they often don't always list a fixing of FP's in every release (unless the entire release was geared just for that).  However, it is assuring to know that I randomly browsed around the site and watched videos to see if I could trigger it again but didn't get anything.

Either way, if it is a fix up from the avast team, I want to say thanks! That was a pretty fast response that was coupled together with a nice bit of community involvement as well for investigating it.

EDIT: After refreshing the avast homepage a bit I managed to answer my own question and have thus changed the phrasing.

[polonus]

Hi Solemn,

Thanks to you also. In the light of the recent massive attacks on so-called trusted and reputable sites through hacks because of vulnerable software, PHP holes, hidden obfuscated inline Iframes, SQL, Cross Site Scripting and whatever enables the malcreants to work their schemes for CyberCrime and AdClickRevenue & Co or the Spammer Collective, it is mighty important to have vigilant people like you report these issues. The full awareness of the situation has not yet arisen amongst the average webmaster and site admin community and also a lot of hosting firms put their users at risk. Good work and know that avast is on the ball here, they are very good at flagging online threats like this one,

Stay safe and secure online is the wish and command of,

polonus (malware fighter)

[DavidR]

I would say that it is a correction of the detection, given there were several submissions to them, I always refer to the VT results and the forum topic when making submissions as I feel it gived extra weight to it.

They are very quick to correct FPs when identified and this seems to have been very quick, within a few hours.

The new signature JS:Pdfka-KT [Expl] was only added on the 26/6/2009 so it looks like this had an adverse impact on this packed JS file which looks like it has been tweaked to correct this. Though checking the avast virus database the JS:Pdfka-KT [Expl] has been removed, presumably to correct this mis-detection and give them time to rework the signature.

There are 303 JS:Pdfka- signatures in the virus database.

[polonus]

Hi DavidR,

Well a FP can always come into the bargain, but you have to admit that where the detection of website threats is concerned avast comes with the top league of vendors detecting. And as a matter of fact they also awakened the avast forum members to investigate these issues further whenever it was/is posted in these here forums. Before these postings I never used the particular scanners I started to use now. This is also why I posted in the general section on starting to search via https for enhanced security,

polonus