Author Topic: A False Positive -- Please Help  (Read 3858 times)

0 Members and 1 Guest are viewing this topic.

Offline shaakunthala

  • Newbie
  • *
  • Posts: 4
A False Positive -- Please Help
« on: December 24, 2009, 10:52:10 PM »
Hi All  :) ,

Recently, I've noticed a website (say mysite.lk) that is administered by me is infected by some malicious code. I took immediate actions to solve the problem and wrote a blog post describing the incident and how I took actions.

The website is blocked by Avast. That is OK (should be blocked because it's infected). But, the problem is, my blog is also blocked by Avast since I've published that article. The blog post is written in some kind of 'Sherlock Holmes' style. I have used that malicious code as post content to explain the situation to my readers. So I can't remove the code I have put in -- without that my blog post becomes useless.

The included code causes no harm to the reader, since it doesn't render as javascript.

Here's the alert (which was emailed to me by a reader):
file name:                     hxxp://blog.shaakunthala.com/\{gzip}
malware name:             JS:Illredir-A [Trj]
malware Type:              Trojan Horse

Here's my article:
hxxp://blog.shaakunthala.com/2009/12/hacker.html
The blog is written in Sinhalese language and perhaps you might not be able to read it. I'm sorry for that. Just skip to the content where code is published.

It's a great help if somebody can give me a solution.

Thanks, and wish you all a Merry X'mas!  8)
« Last Edit: December 25, 2009, 12:15:56 PM by shaakunthala »

Offline YoKenny

  • Serious Graphoman
  • **
  • Posts: 8793
Re: A False Positive -- Please Help
« Reply #1 on: December 24, 2009, 11:10:15 PM »
Welcome  shaakunthala

Please make the links non-clickable like hxxp://blog.shaakunthala.com/2009/12/hacker.html

Please read:
http://www.scmagazineus.com/every-36-seconds-a-website-is-infected/article/140414

Merry Christmas 8)
E5200 2.5GHZ, 4GB RAM, 320GB HD, Windows 7 Home Premium 64bit, avast! V9.0 Free, IE10
P4 2.8GHZ, 1.5GB RAM, 40GB HD, XP Pro SP3 32bit, avast! V9.0 Free, Google Chrome
with hpHosts, MVPS HOSTS files, SpeedFan, WinPatrol PLUS

Offline shaakunthala

  • Newbie
  • *
  • Posts: 4
Re: A False Positive -- Please Help
« Reply #2 on: December 25, 2009, 09:00:57 AM »
Thanks for your reply. But it seems you have not understood my problem.

1. My blog is hosted on Google Blogger. I vigorously checked my Blogger template and found no suspicious scripts.
2. What I did is, posting some malicious code (inside <pre name='code' class='brush: javascript'> and </pre>) and non clickable URLs as blog's content to explain the situation to my readers. They will not render as links / actual script.

hxxp://blog.shaakunthala.com/2009/12/hacker.html << this is blocked
Since I've posted malicious code as plain text. (although no harm)

hxxp://blog.shaakunthala.com/2009/09/docx.html << this is not blocked
Since I've posted legitimate Microsoft Office XML code.

So this is a false positive. Avast blocks my blog although it is clean.



Welcome  shaakunthala

Please make the links non-clickable like hxxp://blog.shaakunthala.com/2009/12/hacker.html

Please read:
http://www.scmagazineus.com/every-36-seconds-a-website-is-infected/article/140414

Merry Christmas 8)

Offline YoKenny

  • Serious Graphoman
  • **
  • Posts: 8793
Re: A False Positive -- Please Help
« Reply #3 on: December 25, 2009, 11:37:29 AM »
Go back to your first post and modify the http lines to hxxp

If you post malicious code in the blog then avast! will detect it.
Even if you use a code box it may be detected
Code: [Select]
<pre name='code' class='brush: javascript'> and </pre>
I'm waiting for Santa to visit here.
E5200 2.5GHZ, 4GB RAM, 320GB HD, Windows 7 Home Premium 64bit, avast! V9.0 Free, IE10
P4 2.8GHZ, 1.5GB RAM, 40GB HD, XP Pro SP3 32bit, avast! V9.0 Free, Google Chrome
with hpHosts, MVPS HOSTS files, SpeedFan, WinPatrol PLUS

Offline shaakunthala

  • Newbie
  • *
  • Posts: 4
Re: A False Positive -- Please Help
« Reply #4 on: December 25, 2009, 12:24:14 PM »
Anyway, thank you for your reply again.

Somebody notified me that some other virus scanners also block my page. And also, some other person suggested me to use images instead of text. I think that will work definitely.

But, it's really good if anti-virus solution providers do some favor for g33ks who write this kind of stuff.

Thank you.

Offline logos

  • Avast √úberevangelist
  • Serious Graphoman
  • *****
  • Posts: 9444
Re: A False Positive -- Please Help
« Reply #5 on: December 25, 2009, 12:30:30 PM »
if you inserted the malicious code in a blog post, whatever the reason is, you can't expect any AV to ignore it, doesn't make sense. Those interested will deactivate  their protection I guess, for the rest = 99,99% of others, no luck for you, merry Xmas  ;)

ps: why don't you neutralize the code and indicate it, for your readers ???
w7 - ais7

Offline shaakunthala

  • Newbie
  • *
  • Posts: 4
Re: A False Positive -- Please Help
« Reply #6 on: December 25, 2009, 01:19:58 PM »
ps: why don't you neutralize the code and indicate it, for your readers ???

I also thought about that, but I was not sure if avast! checks for patterns in code. So I had no idea of neutralizing.
Anyway, I put everything as images and now it's perfect. Nobody may want to copy-paste the text other than reading it.  :)

Thanks!