False Positive Or Suspicious Link/File? | SecurityKiss.com & Setup File

Hello,

Today I was trying to download SecurityKISS Tunnel/VPN For Windows, for the first time, but Avast blocked it as possibly malicious.

Avast Program Version: 7.0.1473
Avast Database Version: 121031-0
Infection: URL:Mal

I am wondering if this is a false positive or not? (I am also going to email this to the Avast Team) :wink:

Here are some link scanner results for the link/file:

  1. http://www.avast.com/en-us/lp-fr-virus-alert?p_ext=&utm_campaign=Virus_alert&utm_source=prg_fav_70_0&utm_medium=prg_systray&utm_content=.%2Ffa%2Fen-us%2Fvirus-alert-alfa&p_vir=URL:Mal&p_prc=C:\Program%20Files\Mozilla%20Firefox\firefox.exe&p_obj=http://89.207.129.11/SecurityKISS/builds/01714567ed4e31d5/SecurityKISSsetup.exe&p_var=.%2Ffa%2Fen-us%2Fvirus-alert-alfa&p_pro=0&p_vep=7&p_ves=0&p_lqa=0&p_lsu=24&p_lst=0&p_lex=356&p_lng=en&p_lid=en-us&p_elm=7&p_vbd=1473

  2. http://zulu.zscaler.com/submission/show/be4c2eafd77b6b2c0825cc1a64302bed-1351714789

  3. http://www.urlvoid.com/scan/securitykiss.com/

  4. http://wepawet.cs.ucsb.edu/view.php?hash=d64fe4e09b4b4c799061faae6ac56566&t=1351715034&type=js

  5. http://sitecheck.sucuri.net/results/www.securitykiss.com

  6. http://safeweb.norton.com/report/show?url=http%3A%2F%2Fwww.securitykiss.com%2Fresources%2Fdownload%2Fdownload_starting

  7. http://www.browserdefender.com/site/www.securitykiss.com/

  8. http://www.siteadvisor.com/sites/http%3A//www.securitykiss.com/resources/download/download_starting

  9. http://www.webutation.net/go/review/securitykiss.com

  10. https://www.virustotal.com/url/598af01a2434bf7f55f41d2bea1fb61c92c490094d9d4550d53a6ef3e446183c/analysis/1351715228/

  11. http://anubis.iseclab.org/?action=result&task_id=13e7323efc9f91af4215309816cedefd9&format=html

Thank you,
-John Jr

Not clear here, but for the download request link I get a HTTP/1.1 301 Moved Permanently
For this the location line in the header above redirects the request to:
htxp://www.securitykiss.com/resources/download/
On that I get a HTTP/1.1 302 Found and PHP cookies set
Set-Cookie: PHPSESSID=^^^^ukhmgo^^^^; path=/
Set-Cookie: PHPSESSID=^^^^8j5fd70rehab74jb4^^; path=/ ^^^ broken by me pol
and again location line in the header above has redirected the request to: /resources/download/windows/
This is a conditional redirect and suspicious,

polonus

I wonder if that has anything to do with this message on their page:

“Every downloaded copy is unique. Do not share the program you downloaded. If you want to distribute this software, use Generic Installer”

Here are some file scanner results for their generic installer:

https://www.virustotal.com/file/31f02227fec650fde67faf7204f53ebcdffea0da0373a6efef2871b580ce5d10/analysis/1351721052/

http://valkyrie.comodo.com/Result.html?sha1=35c890d5d9e0962896872fb1a1855585ab79221b&&query=1&&filename=securitykisssetup.exe

Thank you Polonus for responding. :slight_smile:

Hi goodjohnjr,

Well break that link as hxtp will ye?
That would mean an additional bonus for the malcreants if they could have intruded, rendering their malcreation almost indetectable,
but not against website behavior analysis, as you see. Until given as clean I would stay away…as site is also flagged here:
http://www.siteadvisor.com/sites/securitykiss.com

polonus

Hello Polonus, I am not exactly sure what you meant by: "Well break that link as hxtp will ye? ", but I am guessing that you meant to make that link not click-able, and so I removed that link. :wink:

Yeah, I will definitely stay away for now until the experts give us their results, thank you Polonus. :wink:

OK, see you are aware of that rule here now. ;D Same is for code, always post as an image because an image of malcode cannot do any harm.
Sometimes the avast shields are triggered by parts of code, even without payload, and that is not what we want. ???
So if you wanna show something take an image of it and rub out the identifiables you do not want to share with a searchbot :D.
We do this all the time you know and are aware the Internet is looking over our shoulder all the time 8)

polonus

What about compressing the samples as .zip or .7z instead of putting them in an .iso, isn’t that okay as well?

And what do you mean by rub out the identifiers exactly and how, I just want to make sure I am understanding you correctly? :wink:

Thank you Polonus,
-John Jr :slight_smile:

An example will tell you more than a lot of words, see attached.
If you have captured a screen image you can work on it with a tool like Photo Filtre and rub out parts of the website or just crop out that part you want to show…

polonus

The SecurityKiss Team shared this link with me about their software being detected as a false positive:

hxtp://www.securitykiss.com/faq/index.php#falsepositive

Oh! So you were talking about taking Screenshots of a website and editing out the parts that you do not want to show, like the address?

Like this with the address bar cropped out:

http://forum.avast.com/index.php?action=dlattach;topic=108192.0;attach=96164

http://forum.avast.com/index.php?action=dlattach;topic=108192.0;attach=96166

I thought you were talking about something else, hahaha. :smiley:

Thank you Polonus. :slight_smile:

Hi goofjohnjr,

Their general website does not seem to be affected, it is just the download link (download).
See: http://chrome.quttera.com/chrome_detailed_report/www.securitykiss.com
Strict transport security on their website does not follow best pratices.
Website transmits full server version number…

polonus

Yep, the main website showed up clean with most of the link scanners that I tried, thank you for the Quttera link (I like Zscaler and Quttera :wink: ).

By full server version number, do you mean Server IP address or what operating system version their server uses, and where on that report did you see that information?

Also what are the risks of showing the full server version number, let me guess, people will have a better idea of which exploits/security holes/malware to attack with? :wink:

Thank you,
-John Jr

Hi goodjohnjr,

With this I mean that they transmit the full server version number to the world, making it a tad more easy for attackers to know about server vulnerabilities.
Those responsible for server security for the server on which that Irish website is run should know about this and it is quite easy to hide that full version number.

Webserver: Apache/2.0.63 (FreeBSD) PHP/5.2.5 with Suhosin-Patch mod_ssl/2.0.63 OpenSSL/0.9.7e-p1 mod_python/3.3.1 Python/2.5.1 mod_perl/2.0.3 Perl/v5.8.8

See: http://www.cyberciti.biz/faq/rhel-centos-hide-httpd-version/ link article by Nixcraft
The site also uses cookies without Platform for Privacy Preferences Project (www.w3.org/P3P/)

The website gives away through “X-Powered-By” HTTP Header, that it is generating dynamical content. It is advisable to remove that particular header…

So you see another website hosted without seeking best practices in website security making the website vulnerable to attacks and also less secure to visitors, but alas this situation is more rule than exemption…

polonus

Thank you for explaining that and for sharing that link Polonus, I shared this link and recommendation to the SecurityKiss Team. :slight_smile:

The Avast Team said that they could not reproduce the detection and that the SecurityKiss website is not on their blocklist at this time, so it seems that their website and their installer is clean, and that was probably a false positive. :slight_smile:

The SecurityKiss team thanks you for your full server version removal hint Polonus, and they will probably take your advice and adjust that. :wink:

If you have any other hints/suggestions/advice for the SecurityKiss Team, Polonus, please do contact them through their contact form: http://www.securitykiss.com/support/, I am confident that they will probably listen/respond to some of your suggestions. :slight_smile:

I would like to thank Polonus and the Avast Team for responding to my thread/issue :slight_smile: , this issue has now been solved; keep up the good work. :slight_smile:

-John Jr