False Positive?

I was just reading an article which was posted on Wilders Security Forums and I received this alert.

http://imageshack.us/photo/my-images/24/avasty.png/

It said that it was a java script exploit linking to a PDF file. Also in the left hand corner of Firefox it was trying to get to a site or maybe a file named Sator.VV.CC.

So what I did was go to that site, it automatically launched java in my system tray, and then Firefox said it wanted to install a plug in (see the picture above). Then I got the alert from Avast that it was blocked.

The original link is here: -http://www.geek.com/articles/chips/webgl-flaws-puts-chrome-and-firefox-users-at-serious-risk-2011059/ DO NOT CLICK THIS LINK IN CASE THERE IS STILL AN EXPLOIT. CLICK AT YOUR OWN RISK!

Funny thing is right after this happened I was able to replicate it twice. Then right after that, Avast av updated its definitions. So I cleared cache and went back to the site after the virus defs updated and now its not happening.

So fp or was the site temporarily hijacked and is now clean?

Any insight into this is appreciated.

Make the url to hxxp so it is unclickable

Done.

Your image is unreadable (but the url of the alert doesn’t appear to be the geek.com site) crop the alert and it can be attached to the post using the Additional Options as a g.f, png or jpg.

Since it was alerting on some manual.pdf file and the alert relates to a pdf exploit, that may well be a good detection. Were you trying to download a pdf at the time ?

Hi,

No was not trying to download a pdf, was just reading the article. Looks like a drive by of some sort. Here is the alert you are asking for.

Thank you!

It was alerting on the PDF link on that page - it may have been cleaned or it was a FP now rectified

Well there was a link there i=on that page which if you clicked it took you to the proof of concept and it may have been that demo exploit that is getting trapped. But vv.cc domain doesn’t come out too clean on reputation, in this case seems related to another sub-domain but the whole domain appears to get tarred with the same brush http://www.mywot.com/en/scorecard/sator.vv.cc as it inherits the main domains rep.

Also see http://www.urlvoid.com/scan/vv.cc.

Edit: Even if you manage to get round the various blocks the file system shield as the fall back option alerts on it, so I rather doubt it is an FP, how it is being launched from that geek.com is the thing, perhaps what they are on about an exploit. But I doubt that to as this doesn’t appear to follow the webgl flaw.

See file properties from the avast chest.

Also see VT results, 19/42 hits, http://www.virustotal.com/file-scan/report.html?id=11ddae8d130b42d2814fab54b5edae4d1157f68c2dd8c7d6ff53f1fe56158e9d-1305322841

Thanks so much for the informative post back to me!

Cheers!

And Zscaler has a blogpost on it : http://research.zscaler.com/2011/05/geekcom-hacked-with-exploit-kit.html

Nice catch avast!

Thanks for posting that!

Yes nice catch indeed by Avast. Thank you Avast!