Domain Falsely Identified as Malicious

Hello,

My company provides advertising technology to web publishers. This morning, we started receiving word that Avast had flagged our pixel-serving domain, a.dpmsrv.com, as malicious. We haven’t made any recent updates to our code, and there’s nothing malicious about the code at all. I submitted a ticket to their contact form and tried calling their support line as well (though that is really software support for users of their product, so they weren’t able to do anything). Is there anything we can do to get our domain un-flagged? All of our clients are calling us saying they’re getting complaints about malicious code on the site coming from us, and we can’t do anything to correct this. We also found that they’ve blocked our corporate site, datapointmedia.com, as well. Any help or direction that you can provide would be very much appreciated. Thank you!!

Patrick

Avast is not the only one to flag: http://www.mywot.com/en/scorecard/a.dpmsrv.com?utm_source=addon&utm_content=popup-donuts

polonus

I’m having the same popup on two different message boards

you dont tell us what avast say?
if avast say URL:mal it means the url is on a block list… for whatever reason, it does not have to be infectd

anyway if you think this is wrong, report it here. http://www.avast.com/contact-form.php

Hi Cham,

Could you share which message boards you are seeing this same behavior? Thank you very much!

Polonus,

Thank you for pointing out that link. Do you know of any other scanning tools that might be helpful for finding out why our domain has been flagged? We’ve been running nearly the same code for about a year now without any of these issues.

Pondus,

It was flagged as URL:Mal, and our corporate site was flagged with HTML:Script-inf

Thank you all for your help!

Patrick

Also, I did submit a message to the avast contact form for both domains a couple of hours ago but haven’t received a response.

Thank you for suggesting that Pondus.

you can check your Urls here

http://sucuri.net/
http://www.urlvoid.com/

Thank you Pondus.

Both sites report our URLs are clean.

http://sitecheck.sucuri.net/results/a.dpmsrv.com
http://sitecheck.sucuri.net/results/datapointmedia.com

http://www.urlvoid.com/scan/a.dpmsrv.com/
http://www.urlvoid.com/scan/datapointmedia.com/

I appreciate your help!

Patrick

Does anyone know of any way to escalate this issue with Avast support beyond their contact form? Is there anybody I can call to speak with to try to move this along any faster? We haven’t had any response from Avast yet, and we’re currently affecting over 100 sites whose users are all seeing Avast throw a malware warning. Perhaps any of the moderators may be able to help us escalate this within their support team?

Thank you for your help!

Patrick

When I try to get to your code. I get this:
Header returned by request for: http://a.dpmsrv.com

HTTP/1.1 200 OK
Content-Encoding: gzip
Content-Type: text/html; charset=utf-8
Date: Fri, 10 May 2013 18:25:35 GMT
Server: nginx/1.2.1
Content-Length: 20
Connection: Close

Content returned by request for: http://a.dpmsrv.com

1:
Also see: http://vurldissect.co.uk/?url=1750141

polonus

http://hosts-file.net/?s=23.21.54.71http://urlquery.net/report.php?id=1912870
and for .http://a.dpmsrv.com/dpmpxl/index.php?id=7904319980558993132&cl=68&zn=ATE&sn=searchSOA&r=31306&q=imp&_=1363896536748 I get
window.DPMSRV.setAppnexusId(‘7904319980558993132’); causing WHT outages…

polonus

The message boards are:

http://www.notebookreview.com/

Uhh, I can’t remember the other. Here is what Avast says:

10.05.2013 18:33 NetworkShield http://a.dpmsrv.com/pixel.php?t=1&cl=51&st=tg&zn=atgnb/forums&kw=fid%3D23&sz=1&ref=http://forum.notebookreview.com/off-topic/718189-website-infected-according-avast.html&cookie= URL:Mal
10.05.2013 18:32 NetworkShield http://a.dpmsrv.com/pixel.php?t=1&cl=55&st=inet.wht.forums&zn=forumid31&kw=u:0&sz=1&ref=http://www.webhostingtalk.com/showthread.php?s=d3ab6060cb83bb6e06f1dea9fbc6313f&t=1264672&page=2&cookie= URL:Mal
10.05.2013 18:31 NetworkShield http://a.dpmsrv.com/pixel.php?t=1&cl=55&st=inet.wht.forums&zn=forumid31&kw=u:0&sz=1&ref=http://www.webhostingtalk.com/showthread.php?t=1264672&cookie= URL:Mal
10.05.2013 18:30 NetworkShield http://a.dpmsrv.com/pixel.php?t=1&cl=51&st=tg&zn=atgnb/forums&kw=fid%3D23&sz=1&ref=http://forum.notebookreview.com/off-topic/718189-website-infected-according-avast.html&cookie= URL:Mal
10.05.2013 18:27 NetworkShield http://a.dpmsrv.com/pixel.php?t=1&cl=51&st=tg&zn=atgnb/forums&kw=fid%3D23&sz=1&ref=http://forum.notebookreview.com/newthread.php?do=newthread&f=23&cookie=

Is this a false positive? I dunno anything, I’m clueless at this stuff, lol.

edit: Someone who knows more than me claims these are false positives

http://my.jetscreenshot.com/18363/20130511-4spr-73kb.jpg

Wepawet quttera and only detected the link as suspicious

http://wepawet.iseclab.org/view.php?hash=168003de56f214f3a15cbf276aa4123a&t=1368240529&type=js

http://quttera.com/detailed_report/www.notebookreview.com

is not blacklisted and considered clean
http://sitecheck.sucuri.net/results/www.notebookreview.com/

http://zulu.zscaler.com/submission/show/d2ac30286979eac9a557cba6b443ede9-1368239978

http://www.urlvoid.com/scan/notebookreview.com/

I did a scan but nothing has been found

https://www.virustotal.com/en/url/2098e0bd613235c8d8461d9f69406be5b33b03fc9a76aaea1c98cef2c93456c1/analysis/1368239804/

https://www.virustotal.com/en/url/85df1a8a0647b0806d0d2ee5a0131fe3901cb4bf9adb9844729dff7c9392cea9/analysis/1368239845/

https://www.virustotal.com/en/file/d524355b9f272b6ff2a9e9ba2a14e1a44c52ba6d636d704e62763cd66151c2f9/analysis/1368221125/

Reported to analysts

The suspicious file is a detected hidden iframe tag to ‘assetscdn.com
which should not be malicious per se: http://evuln.com/tools/malware-scanner/assetscdn.com/
as it is helper module for connect-assets to upload your files to a CDN

Additionally I found a flag for your facebook plug-in, see:
https://www.virustotal.com/nl/url/ff2f13ab9a225f5001e50ffcfbc0868185c4aac481257e110d57c612460d751a/analysis/1368266198/

The potentially suspicious code: Potentially Suspicious
Reason: Suspicious JavaScript code injection.
Details: Procedure: + has been called with a string containing hidden JavaScript code .
weitten in coffeescript
Suspected XSS Attack code

Blocked URL: -http://www.google.nl/search?output=search&sclient=psy-ab&q=[[varmatch%3Dregex.exec(tag)||[]%3Breturnmatch[2]||match[3]%3B}%3B}varSCRIPT_TAGS%3D%2F(<script[\s\S]*%3F>)([\s\S]*%3F)<\%2Fscript>%2Fig%2CSRC_REGEX%3DattrPattern('src')%2CSRC_ATTR%3DmatchAttr('src')%2CTYPE_ATTR%3DmatchAttr('type')%2CLANG_ATTR%3DmatchAttr&btnK=

Visit anyway plug-in to get string values but unable to properly scan site. Site returning error (40x): HTTP/1.1 404 Not Found
verdic t normal JQuery JS → http://jsunpack.jeek.org/?report=6dc9b7ddbabe0370e4c31d8941266cb9bc0a6d27

polonus

These test plug-ins could reveal some hick-ups (they are from Noah Sloan) → https://github.com/bitovi/canjs/tree/master/control

polonus

I have no idea what you guys are talking about. Most people I have talked to said basically that it is nothing except false positives and that Avast Internet Security (paid version) does not report anything wrong with these sites just the free version. Also other AV programs are not finding anything wrong. I can’t figure out how to make the popups stop and they are annoying so I’m just going to install MSE and drop avast.

edit: uninstalled avast, installed MSE, now i have no stupid popups. Good enough for me, thanks guys.

Nobody said that there was no false positive. It is all in the game with general and heuristical detections or blocking an IP with a lot of domains sharing the same IP. What we have pointed out to the webmaster or hoster of this site is that there are weak potential suspicous or vulnerable code on the site. If there are weaknesses or weak plug-ins being used with vulnerabilities then your site could be hacked any time and all of the time. Malcreants work on automatic, just luck when the vulnerable sites stays clean or the malware is taken down in time. Attackers always go for the low hanging fruit and theirs is an ongoing “game”.

If you say your not interested and rather downgrade to an av solution that will detect less and will give you a false sense of security around, OK with us. Do as you please, go into denial. We analyzed too many websites here not to be aware of the weak ponts in some…

polonus

Hi,
do you really doubt Avast’s trustworthiness??If you think or your friends think that MSE is a better solution,then go on and install it,i guess your friends are l33t haxx0rz and i will also like to inform you that Avast Free&Paid,they are both using the same engine.
Philip,
Regards

Sorry guys I guess I wasn’t clear. The technical things that you were posting, I did not understand. I don’t understand the terminology/technical language. I actually like avast better than MSE because I do believe that the protection is better with avast and avast has more features. But when I post on those boards or try to read them the popups are just going off non-stop and I couldn’t make them stop (or don’t know how to). It doesn’t seem like I’m getting any viruses/etc from using the board. And there is info there I need. I think what you might be saying is that there is a vulnerability there and the forums could become infected but they are not yet. So I am taking a risk if I use the boards. I keep backups so I can reimage if I have problems. I didn’t mean to offend anyone. One guy on the forum said he was using Avast Internet Security and wasn’t getting the warnings, but I don’t know the guy personally, he could be lying for all I know. Anyway this is the link to where it is being discussed:

http://forum.notebookreview.com/off-topic/718189-website-infected-according-avast.html

Hi cham44,

If you get constant pop-ups the actual machine you get these from might be malware infested.
Post the logs mentioned here and a qualified removal expert might look into them and help you cleanse the malcode.
I shall PM the removal specialist,

polonus

Hi,
a comment from that forum you posted :
“paid avast internet security has not had any false positives and no threats today. seems to be only hitting the free version.”
This is by far one of the funniest comments i’ve ever read in my entire life,i am about to die of laughter ;D ;D .

One more :
“All the ones that work from Microsoft Security Essentials to Kasperky. They all work. Using a combo of them is good also. Plus your firewall and browser settings/plugins matter. Perhaps even more so than an antivirus program.”
Among the “computer geeks”,it is well known that you should NOT use more than 1 anti viruses,it’s a rule :wink: .Read here why :
http://www.bleepingcomputer.com/forums/t/186533/is-it-bad-to-run-multiple-antivirus-programs/?p=1046121

My advice is to stay away from the bogus&wannabe computer technician that have no idea what they’re doing.