Avast has blocked our commercial business domain and JavaScript

Avast has blocked our core domain where we host our business assets: lkqd.net
We run mobile video ads for thousands of website so this has huge implications.
The only thing I can think of that would cause a flag is our JavaScript, but it does nothing other than render ads and has a perfect score according to multiple scanners: https://www.virustotal.com/en/url/635696e638bef3b90215c3c0e16cf2714d2d5c2cce545dfdba64413dc41a7b59/analysis/1418083290/

We uglify the JavaScript, but do not use any other form of code manipulation. There is some base64 logic in the JavaScript which is the only thing I can think of that would cause this to be flagged.

Has anyone else experienced this? Here is the JavaScript file: http://ad.lkqd.net/serve/pure.js

Any help would be greatly appreciated.

Thanks everyone!

http://zulu.zscaler.com/submission/show/887d0685bcf0eba9da46c2b09159a512-1418101290

You can report a possible FP here: http://www.avast.com/contact-us.php?subject=VIRUS-FILE

Thank you for advising!

We did try to report the false positive, but did not hear back. We will try again.

You’re welcome.

I will flag Milos to this thread. He controls blacklists.

If anything I think it could be a general IP block as malware is being spread via domains on that IP and I see IDS alerts for “ET SHELLCODE Possible Call with No Offset TCP Shellcode”, a buffer overflow shellcode issue (this from an additonal IP via another domain widgets.getsitecontrol.com/ on that same IP server your domain shares).
So if anything I would suggest you ask avast team members for a domain exclusion.
I cannot do that because I am a volunteer website security analyzer and error-hunter with relevant knowledge,
but I am not an avast team member.

For the pure.js code you mention remember that

gzip-js is a pure JavaScript implementation of the GZIP file format.
It uses the DEFLATE algorithm for compressing data.*

Please note that since this is a pure JavaScript implementation, it should NOT be used on the server for production code. It also does not comply 100% with the standard, yet.

The main goal of this project is to bring GZIP compression to the browser.

Quote Info by T. Jameson Little

  • Be aware of leakage attacks via malicious shell scripts.
    Code external link: htxp://ad.lkqd.net/serve/corp_site_vast.xml → htxp://googleads4.g.doubleclick.net/pagead/adview?ai= blurred out by me pol. Registered from within here: htxp://doam.com/50228?ckattempt=1

So let us wait for Milos’s reaction,

polonus

P.S. Consider the insecurities detected here: access violarion writing location non-mutable tree-return vuln. [/size]
& injecting content from one window into a target window…etc.

And for the code you gave:
http://www.domxssscanner.com/scan?url=http%3A%2F%2Fad.lkqd.net%2Fserve%2Fpure.js
goin’ to htxp://wXw.pretoriabusinessforsale.co.za etc.

D

IP is blacklisted:
http://zulu.zscaler.com/submission/show/24e4dea91674ff9e26c20391d37f7781-1418139813

No IP address of the DNS lookup for s3-website-us-east-1.amazonaws.com matches the original IP
http://multirbl.valli.org/lookup/54.231.17.60.html

Hi Eddy,

What you think of this domain on that IP: https://www.mywot.com/en/scorecard/facefetti.com?utm_source=addon&utm_content=rw-viewsc
http://sitecheck.sucuri.net/results/facefetti.com#blacklist-status given that IP now at 174.129.25.170
Re: http://www.dnsinspect.com/facefetti.com/1418143738
this a so-called naked domain redirect via SSL for the cloud: http://wwwizer.com/naked-domain-redirect -no secure protocols supported here;
but zulu Zscaler resolves to 54.231.64.28 → http://zulu.zscaler.com/submission/show/75949a04212a54eca2dd91fb61048c34-1418141520
Re: http://sameid.net/ip/54.231.17.60/ (the www address has the one IP, the naked domain address the other!).

D

Hi,
lkqd.net was unblocked yesterday 10AM CET. However, there is at least one IP that lkqd resolves to, 54.68.70.118, which right now is blocked and will remain blocked due to other malicious domains on that IP.