Background: I get a pop up warning me of a VBS.Jscript type virus when after a few minutes in a chat room on Adultfriendfinder.com - the file flagged is called body.htm and is basically used by the site to store some of that chat that goes on in the channel. At the beginning of the file, there is a javascript, which I stripped of it’s argument to make a proof of concept here. Avast traps it even with the stripped version I’m supplying at the bottom of this post.
Well, I decided to analyze your engine’s behavior in the code I sent to your support team, by removing/adding tidbits of code and rescanning to see what triggers the positive… as funny as it may sound, there seems to exist many conditions to create a trap for your engine in the context of the code I hereby supply and I get the funny feeling this has been hardcoded in your engine. I’m using the latest free home edition, with the latest definitions db on WinXP SP2, latest patches. The conditions I note are as follows:
1- Request of favicon.ico in the head section of the html page - really, the name of the file itself.
2- Standard html comments <—! with string numbers date/version of their page I guess
3-
I know I may have trouble finding a friend here since so many ppl are adamant about avast. I’m not bashing at the product… but some newbies came in the chat room I was and started making bold claims that there was a virus etc. in the channel script.
I mean, nothing is perfect… I use to remember that a version of Norton AV would not detect a virus present in a folder with a path longer than 255 characters etc… Symantec would never confirm my analysis… so I don’t expect much from support teams anymore.
I’ve been working many years as a security consultant, specially in the micro field, advising clients, preparing procedures for virus recovery, hardening pcs etc, and those ppl were saying that since they had installed avast, they saw so much more alerts than with AVG or other products… I told them it was ridiculous to make a judgment based on the number of alerts an AV will generate… as these alerts may be false. Now I see that some pages on Ebay will trigger the same alert VBS.Jscript I had. Those ppl are newbies, amateurs, so I understand their behavior… I’m used to users who “think” they know, as I’ve seen that often in a corporate setting. But I’d like the support team to confirm my analysis and if that can help them, more power to all of us!
Background: I get a pop up warning me of a VBS.Jscript type virus when after a few minutes in a chat room on [b]Adultfriendfinder.com [/b]- the file flagged is called body.htm and is basically used by the site to store some of that chat that goes on in the channel. At the beginning of the file, there is a javascript, which I stripped of it's argument to make a proof of concept here. Avast traps it even with the stripped version I'm supplying at the bottom of this post.
We would all be interested to know what ALWIL'S / Vik's response to your analysis of Avast! .I doubt it would be discussed openly here though.
Technically I can add nothing, but using common sense the above mentioned site is a part of a huge network of data collection sites, permeating substantially throughout the web. Visiting such a network would require plenty of realtime defence . Avast!'s response, off hand, seems quite appropriate whatever the inner workings you have defined. Thanks for your interest and feedback.
Good Luck ;D ;D ;D
I read that and I fail to see what you really mean? This is a dating service web site… the biggest in the world, some 20 million users. And yes it is quite a network, but Avast only reacts to the chat room script. And the script is absolutely fine. Even if it were not fine, I’ve proven here that Avast traps the script even without arguments passed to windows.open… as it is the script in my proof of concept cannot do a single thing. How can you say Avast’s response, seems quite appropriate? You must be joking? It is not appropriate for an AV to create false positives like that - I mean, anyone that knows basic Jscript knows there is nothing wrong with the code I posted. Realtime defense against what? Common Jscript? In what buffering of simple chat data is something we should be defended against? Is Avast an antivirus or a privacy/confidentiality suite - and even if it were the latter, I fail to see how Avast protects my confidentiality be stopping me from accessing the chat room? Because I would talk about myself in the room or what lollllllllllll Or is Avast enforcing political correctness and puritain sexual behavior in it’s real time defence?l lolllllllllllllllllllllllllll That’s too funny… but I respect your opinion…
And why would they not reply to that openly… I mean, I’m not showing a terrible weakness, I haven’t decompiled their code or reverse engineered it to show anything wrong… what can happen though, and I’m expecting that, is that at some point I will update my definitions and the code I show will no longer be trapped by Avast… and my analysis will be confirmed!
I’m curious as to what you meant, but hey thanks anyway
AFF “Chat” triggered a response from Avast! Your analysis of this response indicates a false positive.
This site and it’s affiliates are a very sophisticated Network. I doubt they have any reason to cause your computer harm, then you wouldn’t come back but I’d be checking out for Tracking cookies / and their scripts.
We’re talking about sripts from the chat room ; as a help I feel you may need to examine these scripts further. I have no idea what script programs you’re running, or your browser settings, but have a look at your java script settings . Yes I’m off topic with your queeries about Avast! , but maybe it’s false response may lead you to another problem , as regards to scripts…
2. This site and it's affiliates are a very sophisticated Network. I doubt they have any reason to cause your computer harm, then you wouldn't come back but I'd be checking out for Tracking cookies / and their scripts.
Yes, that may be right... tracking cookies for sure, multiple scipts etc... but this is all the inner workings of a complex site... cookies can be flushed, scripts can be disabled from IE, whatever, I agree. But indeed this is remote from the subject ;)
We're talking about sripts from the chat room ; as a help I feel you may need to examine these scripts further.
I have examined the script in high detail, here it is again:
Won’t there be a single programmer in Jscript that will have the guts to testify that this is completely harmless? I mean, take this code, put it in notepad, change the extension to .html and run it… it does nothing… there is NO ARGUMENT passed to window.open!!!
I tried the code, and the first thing that happened was “Internet Explorer has restricted this file from showing active content that could access your computer”.
Well, it’s been a full week, and no significant reply from any support staff to acknowledge or infirm what I have written. As of today, the 5th, that code I posted is still trapped by the Avast engine, despite many updates to the signature during the week. What is that. ???
Thanks for replying ASAP.
Trial_user who deactivates Avast before going to the chat room.
Yeah, yeah, sure, then allow IE to execute it and see if it does anything… it does nothing because it’s only a declaration of a function which has no argument. It’s sad when newbies try to help me when it should be the SUPPORT STAFF that should take this more seriously and try.
If newbies are scared off by WinXP script execution prevention, and avast’s false positive, I am not - because a newbie considers that if Avast says it’s a virus, then it’s a virus - but I am not a newbie, this code is harmless, avast is making a flagrant false positive and no one corrects it or shows any intent of correcting it. Lame.
The thing is, my analysis is CORRECT, there is no viral or harmful code on the chat page I was describing, the code I pasted is inoperative, and I don’t need the support staff to confirm that to me. What I can confirm though is that this trial user will no longer be using that product shortly…i.e. when I take the 30 secs to do an uninstall in a few mins.
Thanks for your support! (Note I did not say thanks “support” - I wanted to thank those who took the time to write, some even despite their lack of knowledge, but always with the intent to help, in opposition to the support staff silence).
I don’t know where you took that reference but yeah, www.eicar.org, on this site you will find a file that contains a single string of characters that will make any antivirus pop an alarm. This is called the eicar test string, but I fail to see the link with what we were discussing, unless I missed something…
I just wanted to comment on your last point… You are totally right, but I analysed that in my very first mail - the combination of the script, and the head with the favicon.ico - there’s many factors together that generate this false positive, of course. If it would only take window.open for avast to make this false positive, I’d say this AV is crap and I wouldn’t waste any time. This case is a bit more complex. It is this exact combination of the call for the .ico file, the jscript with window.open and the html comments… but why is this not corrected yet, since there’s been many updates to the signature since my initial post?? And why won’t support comment on that once and for all? Well, I guess this is no better than Symantec support… for me to make it better I would need to send my CV ;D
Have you tried lowering your security settings in avast? It would be great if you could have a play around with the sliders and see whether it’s still detected.
Also, I am no newbie, I program in VB and VC++. I didn’t get any messages from Avast on my computer when I ran the code. As for the .ico, is it possible this isn’t a hidden script server side? There is an exploit of hiding code behind the premise of a gif, jpeg file. Could this be a similar thing?
I’ve put the code I pasted in a txt or htm file and scanned it with the shell extension… not the resident shield… so there is no way to change the settings, unless I am mistaken, but when the problem first happened, it was live on the web page chat, so it was the resident web shield, and it is set as it was installed, to normal setting that is. But I’ve checked the settings in the “custom” option for the different scanners shields, but there’s not much to play with that would allow me to differentiate the problem. If only I could disable “heuristics” for instance… that would help. I can’t.
I’m extremely surprised you didn’t get any pop-up from Avast by scanning this code. Can you confirm that you pasted the whole code I put here in an .txt file, and scanned it with the shell extension and it didn’t pop up as vbs/script worm? I have a hard time believing that… or are you saying that the resident shield didn’t do anything after you ran the file? I should make this clear: If I paste this in a file, rename to html then DOUBLE-CLICK it, I get a script prevention warning from XP but nothing from Avast… but if I SCAN the file with the shell extension, it’s detected as a virus, which makes no sense…
Your idea of a script hidden in an ico file is not bad, and I’ve alluded to that in my first mail, saying that they seemed to have hardcoded some symptoms of Code Red server side to trap my code, and it’s a very liberal (and flaky) interpretation… and I doubt you can script much in 2k. But I downloaded the ico file from the server and I paste here what notepad shows, you can put that to a txt file, and rename to ico and you’ll see this is an icon file…(well not really since I can’t really preserve the formatting but hey, this is what’s inside the .ico file) I see a BM8 in the header… that may be either a batch tool for autocad or a compressor for images… which seems fair in this case…
What I did mean by the icon file, is not that it’s sending you just a plain icon, or that there is anything in the icon file that in itself has any impact. It is possible to setup the server to send something else next to the icon file. Which you won’t pick up plainly in downloading the file.
I suggest going to dos prompt and loading up Telnet against the server and port number, and I think typing GET (…file name with directory structure). I think that is the one, I have an ebook which lists in great detail HTTP connections and using other methods other then a browser to obtain the header information that goes back and forth which isn’t visible in the HTML. There is even a proxy style program you can place inbetween to grab the header before it’s sent and alter it. There are many types of vulnerabilities that reside in the HTTP headers.