I bought a new Razer headset today. They told me to download a surround sound program from their official site: www.razerzone.com/surround/ . So I downloaded and tried to install it… then Avast popup comes and tells me that it’s a malware. I already sent a report about it. It should be false alarm but now Avast won’t let me install it. I have attached a picture of that Avast popup.
The popup show a bloked URL not program
URL:Mal = Blacklisted URL or IP
websites seems to be infected or have leftover script from a removed infection? >> https://sitecheck.sucuri.net/results/www.razerzone.com
Zulu URL Risk Analyzer
http://zulu.zscaler.com/submission/show/875ee6ae1287acceb1507aa837eeb7d3-1464200050
Oh I see…Actually that popup came up when the installer started to update or something. Even big company like Razer can get their sites infected? Damn. Oh I guess I have to wait until they clean up their site.
Actually that popup came up when the installer started to update or somethingSeems it try to contact a blacklisted URL
Have notified avast, check back for a reply tomorrow
Hi kz91 and Pondus,
Whatever the outcome, they have some code to mitigate and retire anyway (zip file for later reference):
-http://www.razerzone.com
Detected libraries:
jquery - 2.1.4 : (active1) -https://ajax.googleapis.com/ajax/libs/jquery/2.1.4/jquery.min.js *
Info: Severity: medium
https://github.com/jquery/jquery/issues/2432
http://blog.jquery.com/2016/01/08/jquery-2-2-and-1-12-released/
jquery - 1.6.4 : -http://cdn.optimizely.com/js/529790331.js **
Info: Severity: medium
http://bugs.jquery.com/ticket/11290
http://research.insecurelabs.org/jquery/test/
Info: Severity: medium
https://github.com/jquery/jquery/issues/2432
http://blog.jquery.com/2016/01/08/jquery-2-2-and-1-12-released/
(active) - the library was also found to be active by running code
2 vulnerable libraries detected
This external script ** has questionable web rep as tracking script: https://www.mywot.com/en/scorecard/cdn.optimizely.com?utm_source=addon&utm_content=rw-viewsc
That there are some isssues with external third party scripts is shown from these test results:
https://sritest.io/#report/5d8d737a-2884-4781-b311-0c0ad575fd95
3 Stylesheet issues and 3 Script issues with missing SRI hashes.
Wonder whether it is these iFrames ***: Any iframes? Yes there are, they are:
Normally wXw.googletagmanager.com comes blocked by adblockers ***But wait for the final verdict from Avast Team Member,
polonus (volunteer website security analyst and website error-hunter)
Hi, we blocked cfbeta.razersynapse.com/1457950589rzrmodrazer_common_config_v2.57.301.6_v2.exe
because we have spotted malware being downloaded from it: https://www.virustotal.com/en/file/ec54dc73a6283b5a460b12d4af55f8f0a6704917223ad69e9622e8f275f3e391/analysis/1399286599/
Most likely this was an infection on the user’s end, and not a threat to all users.
I have unblocked the URL, and will alter the rule so it does not block the URL when the file has been infected on the way.
Thanks for reporting it!
Thanks, HonzaZ,
Thanks for reporting that there is no real immediate malware threat.
Seems now they only have to retire whatever script has been flagged,
and also generate the missing SRI hashes,
whenever these could be implemented without causing issues elsewhere,
while hxtp://cdn.optimizely.com/js/529790331.js will stay a bit of a controversial item there.
Oh and I’d rather block this running: htxp://i.kissmetrics.com/i.js (online tracker)
and htxp://doug1izaerwt3.cloudfront.net as another ad- and tracking server (found in adblocker’s easylist).
polonus
So what now? Is this my problem or Razer’s? I didn’t properly understand your replies ;D . Should I also tell Razer about this or?
Not yours, not Razer’s, but ours… Everything should be fixed already
So…it was a false alert after all? Avast just thought it’s bad URL?
Precisely. We have spotted a user with a totally malicious file that came from that domain, but what most likely happened was that the file was infected on the way, and there is no reason to block the domain because of that.