Author Topic: Incorrect Virus Definition  (Read 5832 times)

Offline cubics2

  • Newbie
  • *
  • Posts: 3
    • Personal Message (Offline)
Incorrect Virus Definition
« on: July 15, 2009, 05:43:06 PM »
We are getting reports from end-users of your product that state that our advertising iframe is a html:iframe virus.  We are not malware and do not serve advertisments for such.  Below is the warning being reported.

http ://social.bidsystem.com/displayAd.aspx?pid=346463&plid=1596
malware name: html:Iframe-inf

Please white list our domain and/or remove it from your definitions.  If you require any information at all, please contact us.

Thanks,

Dwayne Lafleur
General Manager - Adknowledge Social Advertising

Offline DavidR

  • avast! Überevangelist
  • Certainly Bot
  • *****
  • Posts: 69208
  • Gender: Male
  • No support PMs thanks
    • Personal Message (Offline)
Re: Incorrect Virus Definition
« Reply #1 on: July 15, 2009, 06:31:32 PM »
Please don't post multiple topics in different forums for the same issue, as this just duplicates effort for those trying to help. This is the correct forum for virus related issues and not the other two you posted.

I can't visit the link you gave as there is obviously another link involved where it calls that ad, trying to enter that URL directly results in this error, see image.
Core2Duo E8300/ 4GB Ram/ WinXP ProSP3/ avast! free 2014 9.0.2016/ Outpost Firewall Pro9.1/ Firefox 28.0, NoScript, RequestPolicy/ MailWasher Pro/ DropMyRights/ MalwareBytes AntiMalware Premium 2.0.1/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security

Offline cubics2

  • Newbie
  • *
  • Posts: 3
    • Personal Message (Offline)
Re: Incorrect Virus Definition
« Reply #2 on: July 15, 2009, 06:52:49 PM »
The URL in the above post is not the full url.  Here is one:
http://social.bidsystem.com/displayAd.aspx?pid=346463&plid=15965&adSize=728x90&bgColor=%23ffffff&textColor=%23000000&linkColor=%230033ff&channel=&appid=57308&fb_sig_in_iframe=1&f b_sig_locale=en_US&fb_sig_in_new_facebook=1&fb_sig _time=1247678437.1028&fb_sig

malware name: html:Iframe-inf

We are able to recreate the issue in google chrome and firefox, but not IE.  This issue is costing our business roughly $10,000 per day right now as a major publisher of ours has removed our ads until you resolve this issue.  Please proceed with white listing our domain asap.

1. Google Chrome version 2.0.172.33

2. No add-ons/toolbars....don't think there are any for my browser yet!

3. I did not get forwarded to another page, because Avast! stopped that from happening... I have attached a screenshot of what I did get, however. Note that at the bottom where there should be an ad it is now blank when this came up; I don't have a way to block ads, and that is the only time I have seen a blank space instead of an ad.

4. I use Avast! version 4.8 Home Edition.

5. 1:51 pm Eastern Daylight Time (US)


Offline DavidR

  • avast! Überevangelist
  • Certainly Bot
  • *****
  • Posts: 69208
  • Gender: Male
  • No support PMs thanks
    • Personal Message (Offline)
Re: Incorrect Virus Definition
« Reply #3 on: July 15, 2009, 08:29:21 PM »
Sorry, even with that URL I get nothing (alert wise) but a page of sorts loads, see image.

Now two of the links on that page get redirected free credit reports and WOT (web Of Trust) flags the site as having a poor reputation. That however I don't believe is what avast is alerting on (or it would have alerted.

I have been unable to find anything that I can look into as I don't get any alerts.

The iframe alerts are commonly an indication that a site has been hacked and there is either an iframe tage inserted into pages or a script tag containing obfuscated javascript which creates the iframe.

So I'm at a loss as to what else to suggest as an avast user, I have no way to investigate further.
Core2Duo E8300/ 4GB Ram/ WinXP ProSP3/ avast! free 2014 9.0.2016/ Outpost Firewall Pro9.1/ Firefox 28.0, NoScript, RequestPolicy/ MailWasher Pro/ DropMyRights/ MalwareBytes AntiMalware Premium 2.0.1/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security

Offline cubics2

  • Newbie
  • *
  • Posts: 3
    • Personal Message (Offline)
Re: Incorrect Virus Definition
« Reply #4 on: July 15, 2009, 08:34:53 PM »
Try this URL: http://iscpadv.com/s/in.cgi?5

It's for a Tourism Ireland campaign.  It seems to be the source of the issue.

Offline DavidR

  • avast! Überevangelist
  • Certainly Bot
  • *****
  • Posts: 69208
  • Gender: Male
  • No support PMs thanks
    • Personal Message (Offline)
Re: Incorrect Virus Definition
« Reply #5 on: July 15, 2009, 08:51:54 PM »
Strange that the Tourism Ireland would have a link to iscpadv.com which is a German domain location.

It is that domain that is blocked by the Network Shield as one on its malicious sites list, why its on the list I don't know, but commonly if a site is infected and multiple alerts are found avast gathers data on these alerts and would ad it to the malicious sites list.

I have tried to report to avast for further analysis on the iscpadv.com domain being on the list.
Core2Duo E8300/ 4GB Ram/ WinXP ProSP3/ avast! free 2014 9.0.2016/ Outpost Firewall Pro9.1/ Firefox 28.0, NoScript, RequestPolicy/ MailWasher Pro/ DropMyRights/ MalwareBytes AntiMalware Premium 2.0.1/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security

Offline polonus

  • avast! Überevangelist
  • Maybe Bot
  • *****
  • Posts: 20119
  • Gender: Male
  • malware fighter
    • Personal Message (Offline)
Re: Incorrect Virus Definition
« Reply #6 on: July 15, 2009, 10:30:59 PM »
This is what I get with DrWeb's av link checker plug-in:
hXtp://iscpadv.com/s/in.cgi?5 redirects to hXtp://web-banners.com/banners/728x90/discoverireland/

Checking: hXtp://web-banners.com/banners/728x90/discoverireland/
Engine version: 5.0.0.12182
Total virus-finding records: 583477
File size: 255 bytes
File MD5: ca5283f776d99c72aea6105f702121b1

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline John2009

  • Sr. Member
  • ****
  • Posts: 209
    • Personal Message (Offline)
Re: Incorrect Virus Definition
« Reply #7 on: July 16, 2009, 12:57:08 AM »
the i frame detector has had 0 mistakes I've heard

Offline kubecj

  • Administrator
  • Advanced Poster
  • ***
  • Posts: 1127
  • Gender: Male
    • ALWIL Software
    • Personal Message (Offline)
Re: Incorrect Virus Definition
« Reply #8 on: July 16, 2009, 07:50:57 AM »
It has mistakes. Because it's filled by naive humans (mostly me)  8)

But I've blocked iscpadv by a good reason. I've tried it right now with our internal tool...
So, the bidsystem guy should provide me with a better explanation what iscpadv is and why should I think it's not malicious (while it redirects thru series of redirectors to fake av site, as can be seen below).

Code: [Select]
hXXp://iscpadv.com/s/in.cgi?5
  Reason: external
  Found virus HTML:RedirME-inf [Trj]
  Return code: 302
  Content-type: text/html; charset=UTF-8
  Content-length: 178
  \->hXXp://mirturistov.com/3/
       Reason: redirect
       Flags: script_inl:1
       Return code: 200
       Content-type: text/html; charset=UTF-8
       Content-length: 267
     \->hXXp://commercialali.cn/go.php?id=2024-3&key=487c65abf&p=1
          Reason: refresh
          Return code: 302
          Content-type: text/html
        \->hXXp://antivirus-online-scanv5.com/1/?id=2024-3&query=87db95441&q=%3DTQ01Dz3NMQMMI%3DN
             Reason: redirect
             Flags: script_ext:5, script_inl:4
             Return code: 200
             Content-type: text/html, text/html; charset=UTF-8
             Content-length: 13222
Jindrich Kubec

Offline DavidR

  • avast! Überevangelist
  • Certainly Bot
  • *****
  • Posts: 69208
  • Gender: Male
  • No support PMs thanks
    • Personal Message (Offline)
Re: Incorrect Virus Definition
« Reply #9 on: July 16, 2009, 01:50:28 PM »
Thanks kubecj, us mere mortals aren't able to do this kind of in depth analysis.

Outside of the Alwil in-house tool, do you know of any other analysis site that could do the same in depth analysis ?
Core2Duo E8300/ 4GB Ram/ WinXP ProSP3/ avast! free 2014 9.0.2016/ Outpost Firewall Pro9.1/ Firefox 28.0, NoScript, RequestPolicy/ MailWasher Pro/ DropMyRights/ MalwareBytes AntiMalware Premium 2.0.1/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security

Offline kubecj

  • Administrator
  • Advanced Poster
  • ***
  • Posts: 1127
  • Gender: Male
    • ALWIL Software
    • Personal Message (Offline)
Re: Incorrect Virus Definition
« Reply #10 on: July 16, 2009, 01:58:09 PM »
No, that's why I wrote this in-house tool despite my laziness  ;D
Jindrich Kubec

Offline DavidR

  • avast! Überevangelist
  • Certainly Bot
  • *****
  • Posts: 69208
  • Gender: Male
  • No support PMs thanks
    • Personal Message (Offline)
Re: Incorrect Virus Definition
« Reply #11 on: July 16, 2009, 02:06:59 PM »
Any possibility that we would be able to use it, say input the suspect URL into an avast.com page for checking suspect URLs and run on-line ?
Core2Duo E8300/ 4GB Ram/ WinXP ProSP3/ avast! free 2014 9.0.2016/ Outpost Firewall Pro9.1/ Firefox 28.0, NoScript, RequestPolicy/ MailWasher Pro/ DropMyRights/ MalwareBytes AntiMalware Premium 2.0.1/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security

Offline kubecj

  • Administrator
  • Advanced Poster
  • ***
  • Posts: 1127
  • Gender: Male
    • ALWIL Software
    • Personal Message (Offline)
Re: Incorrect Virus Definition
« Reply #12 on: July 16, 2009, 02:11:00 PM »
Such a system is already partially done, but it's kinda low in our (long) todo list.
Jindrich Kubec

Offline DavidR

  • avast! Überevangelist
  • Certainly Bot
  • *****
  • Posts: 69208
  • Gender: Male
  • No support PMs thanks
    • Personal Message (Offline)
Re: Incorrect Virus Definition
« Reply #13 on: July 16, 2009, 02:23:41 PM »
That's good for the long term, after avast 5.0 I guess when some time is available ;D
Core2Duo E8300/ 4GB Ram/ WinXP ProSP3/ avast! free 2014 9.0.2016/ Outpost Firewall Pro9.1/ Firefox 28.0, NoScript, RequestPolicy/ MailWasher Pro/ DropMyRights/ MalwareBytes AntiMalware Premium 2.0.1/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security

 

Google Chrome

AVAST recommends using the FREE Google Chrome™ browser.

Download Google Chrome Now