Avast used as political censurship?

I was reading up on the Syrian conflict and wanted to check who owns their central bank and found this link:
htxp://search.yahoo.com/r/_ylt=A0oG7kSBKSNSQysAE59XNyoA;_ylu=X3oDMTBybjFrcjVnBHNlYwNzcgRwb3MDNARjb2xvA2FjMgR2dGlkAw–/SIG=11obg4329/EXP=1378064897/**htxp%3a//www.syrianef.org/En/%3fp=1253

Quote from yahoo:
“Syrian central bank pledge to act fails to materialise. … which have been depleted by a slump in tourism and oil revenues and by previous efforts to prop up the …”.

The link gets instantly blocked as a JS:Decode-SD [Trj] virus…can anyone check the page and see if its really a harmfull virus?

You can see the site here which is not blocked:
htxp://www.syrianef.org/En/

I yahoo`d JS:Decode-SD [Trj] and basically zero results came up, though some did with google, but very limited…one of them was a thread here on the forum.

Im using avast.

Thanks

I yahoo`d JS:Decode-SD [Trj] and basically zero results came up,
https://www.virustotal.com/nb/file/2174306d5b85fa692321889549ada15debdd54ddbb6b8c2202c7c327882d7728/analysis/

it is a BlackHole exploit
http://www.avgthreatlabs.com/virus-and-malware-information/info/blackhole-exploit-kit/
http://antivirus.about.com/od/virusdescriptions/p/Blackhole-Exploit-Kit.htm

Thanks, but that is not spesific enough though.

The deffinition of malware is too loose\vague. And it appears too me that alot of so called viruses are not what normal users would consider to be viruses; aka hacking your computer and creating havock\beeing parasittical at the expense of the host.

Theres 138 variants of the Blackhole kit you linked to, though my avast did not mention anything about that, but a JS:Decode-SD [Trj] virus and your virustotal link just shows how messy\unprecise it is or?

Also I got a blocked “virus” when opening one of those two pages you linked me to, but the pages itself and their text was not blocked, though I do not recieve it anymore, which suggests that avast is from now on perm blocking it, without denying me access to the site.

From your link: Traffic Direction Script (TDS)…dont sound so dangerous that it has to be blocked or what do you think?

Theres 138 variants of the Blackhole kit you linked to, though my avast did not mention anything about that, but a JS:Decode-SD [Trj] virus and your virustotal link just shows how messy\unprecise it is or?
There is no standard when it comes to naming malware, evry vendor does it there way. So the result i gave you is just from a google search to see what other vendors call it and give you the malware info.. So the only way to know exact it to upload the sample to VT and see what result you get
From your link: Traffic Direction Script (TDS).....dont sound so dangerous that it has to be blocked or what do you think?

" This invisible call would result in exploits and malware being delivered silently, while the user browses the legitimate but compromised website. There would be no external sign, i.e. the victim would not be forcibly redirected; they would remain on the legitimate site and likely be unaware of the malware loading in the background."

If you want a malware check…
Follow guide and attach logs, not copy and paste. http://forum.avast.com/index.php?topic=53253.0

Run in order listed
AdwCleaner / Malwarebytes / OTL / aswMBR

When done removal experts will be notified and check the logs
All tools will be removed when finish

So why did you choose Blackhole of all the possible “names” you could choose from? And you did not take my “virus” in context with my angle on the problem.

Yes, it sounds horrible. But again I dont buy it, what does it do and why does not avast just block this script instead of blocking the whole webpage.
If all it does is direct web traffic, then I hardly would call it malware of any serious character. This page is no permanently blocked from my computer, and I can not read it. And this virus alert keeps me scared from entering it and reading the info.

Not to be rude, though I probably am, but are there just bots in this forum and no programmers with knowledge?

i think the other antivirus program with a web shield will do just the same : blocking the page, not just the script
because the page itself is considered as carrying the problem along :-\

Yes, I dont know. But thats quite possible, though not all antiviruses triggers on\blocks the same things, so its also possible that they do not.

But the thing I want to know is, is this page really a threat at such an extense that it has to be blocked, or is this just an unharmfull script.

So why did you choose Blackhole of all the possible "names" you could choose from? And you did not take my "virus" in context with my angle on the problem.
not sure i understand this..
But the thing I want to know is, is this page really a threat at such an extense that it has to be blocked, or is this just an unharmfull script./
if detection is correct and the site contain a BlackHole exploit kit ... yes just google blackhole exploit kits and see what they do

Avast detected is as JS:Decode-SD [Trj]

F-Prot and Commtouch detected is as a: JS/IFrame.RS etc.

Taken from:
http://about-threats.trendmicro.com/Malware.aspx?language=au&name=JS_IFRAME

"[b]This Trojan may be hosted on a website and run when a user accesses the said website.

This is the Trend Micro detection for files that contain malicious IFRAME tags. This is the Trend Micro detection for Web pages that were compromised through the insertion of a certain IFRAME tag. It inserts an IFRAME tag that redirects users to certain URLs. However, as of this writing, the said sites are inaccessible.

Risk low.[/b]"

While Kaspersky and Symnatec says the site is clean.

A script that redirects you to another site is a big threat? And as stated before; the webpage you linked to said it was 113 variants of it, so how do I find out which one it is; I take it that JS:Decode-SD [Trj] isnt the spesific type?

And are you saying that:
JS:Decode-SD [Trj]
JS/Blacole.LV
HTML/Framer
Trojan.JS.Agent.IWH
JS/IFrame.RS
TrojWare.JS.BlacoleRef.Z
Exploit.BlackHole.12
Trojan.JS.Agent.IWH (B)
JS/IFrame.RS
JS/Blacole.HT!exploit
Trojan.JS.Agent.IWH
Exploit.JS.Blacole
JS/Exploit-Blacole.ht
Trojan
Heuristic.BehavesLike.JS.Infected.A
Exploit:JS/Blacole.LV
Trojan.Script.Iframe.bgvzbb
Blacole.RU
Trojan.JS.Agent.IWH
Trojan.JS.Obfuscator.aa (v)

Are the same thing\definition, just different name? If so, why are there no info on JS:Decode-SD [Trj] anywhere?

Has nothing to do with contents on site, as I scanned this site via jsunpack, avast! Web Shield scans as JS:Decode-YI[Trj] on https://jsunpack etc.
So it is now beyond any doubt proven your assertion is wrong, just the js code being flagged for IE browser exploit abuse. Moreover IP is flagged here: https://www.projecthoneypot.org/ip_41.225.8.57
About exploit read: http://forum.avast.com/index.php?topic=106428.0 (site hack)
https://urlquery.net/queued.php?id=40064098

polonus

Are the same thing\definition, just different name? If so, why are there no info on JS:Decode-SD [Trj] anywhere?
what avast call JS:Decode other malware vendors call BlackHole ... as seen on VirusTotal detections and this is the most commonly used name for this exploit

avast does not have a website with info on the virus types it detect, the best are Microsoft / Kaspersky / Sophos
so to get a idea of what is there i googled the name the other vendors use…
to get the exact you need to upload a sample from that website to virustotal

http://www.microsoft.com/security/portal/threat/encyclopedia/entry.aspx?Name=Blacole

Hi Pondus,

It is an IE specific exploit that is/was being flagged through IDS here: https://urlquery.net/report.php?id=1302986
BROWSER-IE Microsoft Internet Explorer userdata behavior memory corruption attempt
While in a later scan it is no longer there: https://urlquery.net/report.php?id=4892185
In malzilla I can get at downloading htxp://www.syrianef.org/En/xmlrpc.php
XML-RPC server accepts POST requests only.
tagcloud obfuscated code found…http://vurldissect.co.uk/?url=1765809
main url http://vurldissect.co.uk/?url=1765809
htxp://www.syrianef.org/a object not found
another sign of hack attack: htxp://www.syrianef.org/test404page.js http/TRACE method vulnerability
This object not being found either - htxp://www.syrianef.org/wp-content/themes/Exciter/js/jcarousellite_1.0.1.pack.js?ver=3.4.2
Blacklisted in one instance for spam: http://www.reputationauthority.org/lookup.php?ip=41.225.8.57

polonus

Hi Mr.Taco,

The point is, avast! protected you from a very malicious site attempting to execute the Blackhole Exploit Kit.

There are plenty of alternative sites one can use for the “Syrian conflict”.

Did you even analyze the site? The script is coming directly from the webpage itself, not an external javascript file.

So a script that redirects the user to a malicious website that specifically exploits machines isn’t malware?

There are many alternatives for you to read this “info” from. My question is, why would you trust this site’s information if it’s trying to get your computer infected?

If you actually looked at how the Blackhole Exploit redirects, then yes, it is a big threat. The threat name JS:Decode-SD [Trj] even gives you a hint that the malware vendors attempt to obfuscate the redirection.

As avast! indeed saved your computer from a serious infection, I believe that there is no reason for you to continue arguing about threat names. As Pondus states, each antivirus has their own way of naming malware. There are many algorithms used for malware, thus various threat names must also be used.

Regards,
~!Donovan

might be the web owner’s idea to :
"hey, some antivirus programs may have flagged us as containing malware, while we’re not, they just want to block our ideas :frowning: "
but in reality they might spread some malicious script as you dont realize it :wink:

btw, what makes you think that ‘Avast used as political censurship’?
i don’t see any point for avast in doing that censorship :slight_smile:

Hello,
detection JS:Decode-SD [Trj] says, that there was/is malicious crypted Javascript code like in attached image.

Milos