Author Topic: Web-shield is screaming (Read 4467 times)

2meme2 · « **on:** December 07, 2009, 04:24:28 PM »

Hello,

Web-shield is screaming if I go to certain page at SecuriTeam web-site....

What can I do about it? First of all is this the right place to report it? I'm very much confused

spg SCOTT · « **Reply #1 on:** December 07, 2009, 04:32:31 PM »

Hi playwin2,

There is a good chance that this is a good detection

This kind of detection is very common these days, with many 'legitimate sites' becoming hacked to distribute malware:

Every 3.6 seconds a website is infected

You can post the link here, to let someone check, BUT please modify it to de-activate it

For example, change http to hXXP, similar to this: hXXp://www.somesite.com

-Scott-

2meme2 · « **Reply #2 on:** December 07, 2009, 04:44:28 PM »

Hello Scott,

thanks for reply.

here is the link : (DO NOT CLICK, MIGHT BE REAL) hXXp://www.securiteam.com/exploits/6X00E2AN5M.html

spg SCOTT · « **Reply #3 on:** December 07, 2009, 05:10:35 PM »

Well, most of the pages they list, seem to be okay, but this one, as said, seems to be infected. But with the nature of their site, it may be that the page contains the code in plaintext form or something (my guess...I could be completely wrong though) .

I have emailed them to ask, and also reported it to avast!

Code: [Select]

12/7/2009	3:54:11 PM	1260201251	SYSTEM	1404	Sign of "JS:ShellCode-A [Expl]" has been found in "hXXp://www.securiteam.com/exploits/6X00E2AN5M.html" file.

-Scott-

DavidR · « **Reply #4 on:** December 07, 2009, 05:17:50 PM »

I don't know, but I believe it might be that some dumb ass posted the exploit script on the page and didn't break it up in any way to avoid it being detected or post the script as an image. As in my image example of the partial script.

The web shield just sees this as it does any live script as the page is essentially just a text file, so it isn't to know that this may just be an example of the exploit script.

Whilst there are other script tags in the page source I don't think they are what avast is alerting on, given it is a specific exploit signature:
Sign of "JS:ShellCode-A [Expl]" has been found in "hXXp://wXw.securiteam.com/exploits/6X00E2AN5M.html" file.

2meme2 · « **Reply #5 on:** December 07, 2009, 05:24:51 PM »

Quote from: DavidR on December 07, 2009, 05:17:50 PM

....
The web shield just sees this as it does any live script as the page is essentially just a text file, so it isn't to know that this may just be an example of the exploit script.

Whilst there are other script tags in the page source I don't think they are what avast is alerting on, given it is a specific exploit signature...

hmm! I haven't thought about that! very good point DavidR

DavidR · « **Reply #6 on:** December 07, 2009, 05:47:59 PM »

You're welcome.

I missed your first comment if this is the right place to report it, short answer is no. The slightly longer answer, there is a forum "viruses and worms" which deals with all detections/alerts like this, etc.

rathaus · « **Reply #7 on:** December 08, 2009, 06:07:06 AM »

Hi guys,

I am Noam Rathaus from SecuriTeam and I noticed your post in regard to our article:
http://www.securiteam.com/exploits/6X00E2AN5M.html

There is no malware, or harm, to come from that site

The code that Avast is screaming about doesn't work and would require quite a few changes to make it to work on our site - it has been HTML escaped and JS "disabled".

Avast, unfortunately don't care about that and sides with detection of benign rather than "miss", so it screams murder on our site where in fact there is nothing to scream about.

Hope this clears up things.

If you have any other questions contact me at noamr[a]beyondsecurity.com or to support[a]beyondsecurity.com

2meme2 · « **Reply #8 on:** December 08, 2009, 10:24:10 AM »

Hello thanks for the information.

@davidR
I've now book-mered "viruses and worms" forum. thanks.

spg SCOTT · « **Reply #9 on:** December 08, 2009, 03:21:16 PM »

Hi rathaus,

Whilst I agree with the fact that is is benign, I hope you can see the point of view of the user.

As has been said, it exists as is, in the source code, so avast! will alert to it. It may have been de-activated, by what ever means, but I think that avast! still catches on what is left...

My question to you is, would it not be better to post that whole script as an image in future?

I can see two advantages:
1. Time is saved, you don't have to worry about deactivating the code.
2. The possibility of an alert is nullified. - So you wont have people worrying about your site, and the code it contains.

-Scott-

kubecj · « **Reply #10 on:** December 08, 2009, 05:27:52 PM »

Basically, we're not doing full html parse.

Pros: Speed
Cons: Minor inaccuracies when somebody has the bright idea of putting that stuff unmodified on the web.

Author Topic: Web-shield is screaming (Read 4467 times)

2meme2

Web-shield is screaming

spg SCOTT

Re: Web-shield is screaming

2meme2

Re: Web-shield is screaming

spg SCOTT

Re: Web-shield is screaming

DavidR

Re: Web-shield is screaming

2meme2

Re: Web-shield is screaming

DavidR

Re: Web-shield is screaming

rathaus

Re: Web-shield is screaming

2meme2

Re: Web-shield is screaming

spg SCOTT

Re: Web-shield is screaming

kubecj

Re: Web-shield is screaming