I'm sure this is just a false alert. Just wanted to talk about it.

I bought a new Razer headset today. They told me to download a surround sound program from their official site: www.razerzone.com/surround/ . So I downloaded and tried to install it… then Avast popup comes and tells me that it’s a malware. I already sent a report about it. It should be false alarm but now Avast won’t let me install it. I have attached a picture of that Avast popup.

The popup show a bloked URL not program

URL:Mal = Blacklisted URL or IP

websites seems to be infected or have leftover script from a removed infection? >> https://sitecheck.sucuri.net/results/www.razerzone.com

Zulu URL Risk Analyzer
http://zulu.zscaler.com/submission/show/875ee6ae1287acceb1507aa837eeb7d3-1464200050

Oh I see…Actually that popup came up when the installer started to update or something. Even big company like Razer can get their sites infected? Damn. Oh I guess I have to wait until they clean up their site.

Actually that popup came up when the installer started to update or something
Seems it try to contact a blacklisted URL

Have notified avast, check back for a reply tomorrow

Hi kz91 and Pondus,

Whatever the outcome, they have some code to mitigate and retire anyway (zip file for later reference):
-http://www.razerzone.com
Detected libraries:
jquery - 2.1.4 : (active1) -https://ajax.googleapis.com/ajax/libs/jquery/2.1.4/jquery.min.js *
Info: Severity: medium
https://github.com/jquery/jquery/issues/2432
http://blog.jquery.com/2016/01/08/jquery-2-2-and-1-12-released/
jquery - 1.6.4 : -http://cdn.optimizely.com/js/529790331.js **
Info: Severity: medium
http://bugs.jquery.com/ticket/11290
http://research.insecurelabs.org/jquery/test/
Info: Severity: medium
https://github.com/jquery/jquery/issues/2432
http://blog.jquery.com/2016/01/08/jquery-2-2-and-1-12-released/
(active) - the library was also found to be active by running code
2 vulnerable libraries detected

This external script ** has questionable web rep as tracking script: https://www.mywot.com/en/scorecard/cdn.optimizely.com?utm_source=addon&utm_content=rw-viewsc

That there are some isssues with external third party scripts is shown from these test results:
https://sritest.io/#report/5d8d737a-2884-4781-b311-0c0ad575fd95
3 Stylesheet issues and 3 Script issues with missing SRI hashes.

Missing SRI hash * Missing SRI hash Missing SRI hash

Wonder whether it is these iFrames ***: Any iframes? Yes there are, they are:

Normally wXw.googletagmanager.com comes blocked by adblockers ***

But wait for the final verdict from Avast Team Member,

polonus (volunteer website security analyst and website error-hunter)

Hi, we blocked cfbeta.razersynapse.com/1457950589rzrmodrazer_common_config_v2.57.301.6_v2.exe
because we have spotted malware being downloaded from it: https://www.virustotal.com/en/file/ec54dc73a6283b5a460b12d4af55f8f0a6704917223ad69e9622e8f275f3e391/analysis/1399286599/

Most likely this was an infection on the user’s end, and not a threat to all users.
I have unblocked the URL, and will alter the rule so it does not block the URL when the file has been infected on the way.
Thanks for reporting it!

Thanks, HonzaZ,

Thanks for reporting that there is no real immediate malware threat.
Seems now they only have to retire whatever script has been flagged,
and also generate the missing SRI hashes,
whenever these could be implemented without causing issues elsewhere,
while hxtp://cdn.optimizely.com/js/529790331.js will stay a bit of a controversial item there.
Oh and I’d rather block this running: htxp://i.kissmetrics.com/i.js (online tracker)
and htxp://doug1izaerwt3.cloudfront.net as another ad- and tracking server (found in adblocker’s easylist).

polonus

So what now? Is this my problem or Razer’s? I didn’t properly understand your replies ;D . Should I also tell Razer about this or?

Not yours, not Razer’s, but ours… Everything should be fixed already :slight_smile:

So…it was a false alert after all? Avast just thought it’s bad URL?

Precisely. We have spotted a user with a totally malicious file that came from that domain, but what most likely happened was that the file was infected on the way, and there is no reason to block the domain because of that.