I went to “PhotoBucket” which apparently isn’t the safest site in the universe…
Avast said:
"Malware was found!
There is no reason to worry, though. Avast! has stopped the malware before it could enter your computer. When you click on the “Abort Connection” button, the download of the dangerous file will be canceled
I got shocked to see this, so I took a few seconds to cancel it out. Would that have gave the malware time to install itself to my computer, or did Avast! really block it? Can I trust Avast if this pops up?
I’m going to go scan with MBAM (A up-to-date one ) now.
Generally, avast! is correct on these detections, and I would bet this is correct.
There must have either been a script/link to this site which contains the pdf exploit…
Could you please modify your link to make it unclickable (i.e. chage http to hXXp) to prevent others potentially becoming infected, as you have posted a direct, clickable link to the exploit that was blocked…
I have never had any issues before with using photobucket.com in the past. The problem being I don’t believe they don’t have a great deal of input into what users put into their area.
Delay in aborting/cancelling the connection shouldn’t be an issue as effectively avast won’t let it through it has blocked it pending your response.
It’s a malicious PDF file which easily took down my sandboxed Opera session; Firefox jumped it as a reported attack site, but I have to wonder what would have happened if I had let it run in Fx. (Can’t get Fx and Sandboxie to work together for some reason)
It doesn’t seem to have any effect, oddly enough: the sandbox looks OK. I’ll see about dumping the PDF and see what happens.
UPDATE:
The PDF contains some encrypted JavaScript:
The significant line here is media.newPlayer(null); - that’s trying to exploit a known vuln, but I can’t remember which one. Can somebody refresh my memory on this?
This looks like it’s trying to exploit multiple vulns, not just the null mediaplayer one. Not pretty at all.
EDIT: hmm, looks like a mod got to the code blocks before I could. Thanks, mod! I won’t do that again.
EDIT 2: finally got some decent images up.
I know you mean well, but would you please remove the script in the code boxes as it is causing avast! to alert as it would appear in the source code of the page.
If I could make a suggestion, would you please post pictures in the future as that would prevent it happening again
Sorry about that!
I don’t have Avast! (nothing I can do about it, I’m required to use Microsoft Forefront Client Security), so I wasn’t aware the code was triggering anything. I’ll get rid of those code blocks immediately and post some pics instead.
Better still - will Avast! complain if I put the code on pastebin and link to it? If Avast! doesn’t mind, that’s probably the best way of doing it.
) now.
