A False Positive -- Please Help

[shaakunthala]

Hi All   ,

Recently, I've noticed a website (say mysite.lk) that is administered by me is infected by some malicious code. I took immediate actions to solve the problem and wrote a blog post describing the incident and how I took actions.

The website is blocked by Avast. That is OK (should be blocked because it's infected). But, the problem is, my blog is also blocked by Avast since I've published that article. The blog post is written in some kind of 'Sherlock Holmes' style. I have used that malicious code as post content to explain the situation to my readers. So I can't remove the code I have put in -- without that my blog post becomes useless.

The included code causes no harm to the reader, since it doesn't render as javascript.

Here's the alert (which was emailed to me by a reader):
file name:                     hxxp://blog.shaakunthala.com/\{gzip}
malware name:             JS:Illredir-A [Trj]
malware Type:              Trojan Horse

Here's my article:
hxxp://blog.shaakunthala.com/2009/12/hacker.html
The blog is written in Sinhalese language and perhaps you might not be able to read it. I'm sorry for that. Just skip to the content where code is published.

It's a great help if somebody can give me a solution.

Thanks, and wish you all a Merry X'mas!  

[YoKenny]

Welcome  shaakunthala

Please make the links non-clickable like hxxp://blog.shaakunthala.com/2009/12/hacker.html

Please read:
http://www.scmagazineus.com/every-36-seconds-a-website-is-infected/article/140414

Merry Christmas

[shaakunthala]

Thanks for your reply. But it seems you have not understood my problem.

1. My blog is hosted on Google Blogger. I vigorously checked my Blogger template and found no suspicious scripts.
2. What I did is, posting some malicious code (inside <pre name='code' class='brush: javascript'> and </pre>) and non clickable URLs as blog's content to explain the situation to my readers. They will not render as links / actual script.

hxxp://blog.shaakunthala.com/2009/12/hacker.html << this is blocked
Since I've posted malicious code as plain text. (although no harm)

hxxp://blog.shaakunthala.com/2009/09/docx.html << this is not blocked
Since I've posted legitimate Microsoft Office XML code.

So this is a false positive. Avast blocks my blog although it is clean.

Welcome  shaakunthala

Please make the links non-clickable like hxxp://blog.shaakunthala.com/2009/12/hacker.html

Please read:
http://www.scmagazineus.com/every-36-seconds-a-website-is-infected/article/140414

Merry Christmas

[YoKenny]

Go back to your first post and modify the http lines to hxxp

If you post malicious code in the blog then avast! will detect it.
Even if you use a code box it may be detected

Code: [Select]

<pre name='code' class='brush: javascript'> and </pre>
I'm waiting for Santa to visit here.

[shaakunthala]

Anyway, thank you for your reply again.

Somebody notified me that some other virus scanners also block my page. And also, some other person suggested me to use images instead of text. I think that will work definitely.

But, it's really good if anti-virus solution providers do some favor for g33ks who write this kind of stuff.

Thank you.

[Hermite15]

if you inserted the malicious code in a blog post, whatever the reason is, you can't expect any AV to ignore it, doesn't make sense. Those interested will deactivate  their protection I guess, for the rest = 99,99% of others, no luck for you, merry Xmas 

ps: why don't you neutralize the code and indicate it, for your readers

[shaakunthala]

ps: why don't you neutralize the code and indicate it, for your readers

I also thought about that, but I was not sure if avast! checks for patterns in code. So I had no idea of neutralizing.
Anyway, I put everything as images and now it's perfect. Nobody may want to copy-paste the text other than reading it. 

Thanks!