false positive, html:script-inf a little too broad?

[spg SCOTT]

If anything, a bigger site is a bigger target...and things like older management systems like wordpress etc... contribute to the infections...generally when you see updates for things like that it is (at least in part) for a security update.

@ I can't seem to get any of the sites to resolve properly...Could be because I am trying in ubuntu?

I meant the sites that the scripts point to. I have read that some are coded to only work in windows...similar to how some malware can detect when being run in a VM...

You can try and let the site owners know, and even send the link to this thread.

[DavidR]

@ bryonTRN
Well my.yahoo.com opened just fine for me (no alert) my.yahoo.com as it is different based on a) if you have a Yahoo account and b) geographic location, etc.

If you have an account so you are redirected to you account default page, for me that is home.bt.yahoo.com and I don't get an alert.

So unless you haven't got a Yahoo account you shouldn't end up at my.yahoo.com I would have thought.

[polonus]

Hi DavidR,

as I was bryonTRN, I would do an additional spyware scan, quote from the link I gave above

this was done via ftp transfer with accounts user and pass.

It' happent to few of my clients, weeks after I gave them the cpanel password, as their are local clients and I developed their website, I keep all the passwords and tell them the password only if they ask me or need it.

Your computer or clients computer is infected with some kind of spyware, and probably the password ware keeped in txt files.

I also recommend to save your password in free programs like KeePass Password Safe

polonus

[bryonTRN]

@ bryonTRN
Well my.yahoo.com opened just fine for me (no alert) my.yahoo.com as it is different based on a) if you have a Yahoo account and b) geographic location, etc.

If you have an account so you are redirected to you account default page, for me that is home.bt.yahoo.com and I don't get an alert.

So unless you haven't got a Yahoo account you shouldn't end up at my.yahoo.com I would have thought.

last week i got alerts from about 20% of our installed clients, all referencing my.yahoo.com (from my first post in this thread) - so yeah not sure what they were seeing but it seems to have went away after the next updated virus defs

---

so - what can be done about these rogue AV infections coming from perfectly legit websites?  can't really block the referenced url's they point to because they're recreated thru automated processes... i mean there has to be a money trail, is there anyone even trying to stop them?

i'd bet there's probably 10-20 actual humans behind all the various fake-av clones out there, why not just take them down?  (not to derail the thread or anything)

[DavidR]

Well avast's web shield has blocked those script-inf attempts to infect for those sites that we have given information on. Avast is by far ahead of the game on these detections compared to others, but nothing is going to be 100%. So everyone should have a backup and recovery strategy for when things do happen, be that system problems or malware.

So all you can do is investigate the fact that avast is alerting learn how we have found out that the detections are good (or otherwise) and that avoids having to wait for us to check it out.

They aren't what I would consider human, but organised crime as it is all about money, fake AV reports you are infected, wants you to buy solution. Guess what, if a user actually hands over money, these leaches could likely be subjected to card/identity fraud also.

[polonus]

Hi DavidR,

The site owners became victims of this, it is in the news, read this article here:
http://community.websense.com/blogs/securitylabs/archive/2011/03/29/lizamoon-mass-injection-28000-urls-including-itunes.aspx
So large scale SQL Injection-attack...^script src=hxxp://lizamoon dot com/ur dot php^/script^

Registration of the now dead site was done three days ago, this is all done automatically and anti-malware now try to find ways to analyze this registration scheme to get there before the malcreants open up shop, yep, this is large scale and cybercrime driven,

polonus

[DavidR]

As I have said in the past I don't go to that depth, once I confirm that that avast detection is good I stop digging.

So since I don't own the site that it infected, I don't investigate how it was done.

[bryonTRN]

i've had at least 2 clients buy the fake av thinking it was the right thing to do.  both credit cards were processed thru cleverbridge (clearing house for some major software companies)

i hoped this means the criminals wouldn't actually get to see the credit card info - but makes me wonder why the processing company doesn't do something about it.  i mean, they have to eventually send the money to the criminals right?

i wish there were a job out there where they would just keep buying these fake-av's, and following the money... then charging the cost of the bullet to the family of the former criminal

As I have said in the past I don't go to that depth, once I confirm that that avast detection is good I stop digging.

So since I don't own the site that it infected, I don't investigate how it was done.

maybe if a few people would keep digging they'd actually stop
not that you need to be the one - but if everyone stops digging, the problem doesn't go away

[polonus]

Hi DavidR,

But people should be informed about what is actually going on, when avast is detecting and also when avast does not detect.
Take for instance the recent breach of trust concerning Comodo SSL Certificates, users should know when they use these certificates and what this affair means for digital signing doing important transactions online.
With all infections there is an infection and a way in which a site/computer/etc.  became infected. Both rather important issues, users should know that they do not run risks when the use NotScripts in GoogleChrome or NoScript in Fx. Users and webmasters alike should be fully aware of the risks they run if they do not fully upgrade and update all of their software.
When people are not interested, how can they learn to safe(R)hex,

polonus

[DavidR]

Why, what benefit is it to them, are the avast end users really that interested, for the most part they are happy avast has stopped a potential infection or only want to know that the detection is correct. That's the problem most people don't want to get involved in the minutia they just want to be able to use their computers, browse the web and have their AV protect them without having to take a PHd in security.

So when your post is actually addressed to me, I'm aware of the many different ways that code can be injected, etc.

It may be best to just provide a link to those general methods of hacking etc. that the specifics of how it might have happened for that site, that may well be of interest to the site owner, but I rather doubt it is of that much interest to the avast end user.

Tips for Cleaning & Securing Your Website, http://www.stopbadware.org/home/security.

Help: I Got Hacked. Now What Do I Do? http://technet.microsoft.com/de-de/library/cc512587%28en-us%29.aspx

[polonus]

I was not talking generalisations. Some people are interested in what is going on, see what bryonTRN wrote:

maybe if a few people would keep digging they'd actually stop
not that you need to be the one - but if everyone stops digging, the problem doesn't go away

Of course the average user is just interested in how far avast gets near the 98,80 % detection rate, and we are doing our utmost here to help them getting that goal. I think for instance that evangelists are doing a great job reporting new issues to improve detection rate.
Educating users to achieve a better security attitude can also help, but I see that there exists a wide gap between how users behave and how they should behave security-wise. In effect it is a bit like when we would allow people to go out on the road without a driving licence. The only penalty in the digital world for such behaviour is a reformat or being left with a computer that can only function on as a doorstopper. Well you will never hear your computer sales person complain, as long as this state oif affairs is good for business,

polonus

[bryonTRN]

that's well said

i know there will always be 'unlicensed drivers' out there on this road we have...  i know that nothing can be done about that... i'm one of those people that are really interested to know how things get in the way of these people and would like there to be a way to make that road as wide and clear as possible

users who are obvlivious, and infected, make it harder for everyone else because their computer is probably a bot now, either infecting others or sending spam - so it gets worse exponentially.

since i make my living fixing computers and networks, it's in my best interest to see infected machines all day long... luckily for the users though, i'm too busy and i'm just sick of seeing so many infected machines.  i'd rather never see a virus again than be glad they're there and keep getting paid to clean up the same stuff over and over

[polonus]

This SQL injection has now reached pandemic proportions with 1,5 million pages being hacked, read what Danch Danchev has to tell about this massive so-called "lizamoon" attack:
http://ddanchev.blogspot.com/2011/03/dissecting-massive-sql-injection-attack.html

polonus

[DavidR]

Aren't you glad you are using avast and the web shield

[polonus]

Yes, DavidR, there were times I was very grateful I had the avast webshield. I mean that from the bottom of my heart. But the added sandbox is also a great new feature. Avast is the best free av solution on the planet, only a lot of users don't realize that,

polonus