Potentially Suspicious files on avast site

Hi,

today I scanned avast.com with virustotal and checked the quttera.com link (http://quttera.com/detailed_report/www.avast.com). I was a bit irritated about the potentially suspicious file. But since im not an expert, maybe an avast team member can clear things up.

Thanks!

Sucuri. http://sitecheck.sucuri.net/results/static.avast.com/9/web/j/jquery.js

Thanks Pondus. Do you have any idea why quttera marks it as suspicious? As I said im not a programmer but im interested in :slight_smile:

Nope

scanned the suspicious code at jotti
http://virusscan.jotti.org/en/scanresult/0fe1a84aa0790de7ac1801dc574d94a2edc40486

Something about a hidden java script. Whatever that means:

It is a potential suspiscious webaccessibilty testing javascript code injection for avast.com/9/web/j/jquery.js (iframetabindex): http://jsunpack.jeek.org/?report=a44338ddf846b1625a9672c57c378e07505679b2
also found in attack code like Blocked URL: q=%5B.fn%5Bc%5D.src%3Br%3Dr%2526%2526r%2Ba()%3Bq%3D%24(‘%3Ciframetabindex%3D&oq=%5B.fn%5Bc%5D.src%3Br%3Dr%2526%2526r%2Ba()%3Bq%3D%24(’%3Ciframetabindex%3D& blocked by Netcraft extension as Suspected XSS Attack

According to me it is benign code → http://zulu.zscaler.com/submission/show/c6703f6f72bda80870a617d208d6c45e-1387547746

polonus

I also get a javascript check anomaly on avast.com/9/web/j/jquery.js → Suspicious

-ru">Россия

  • south africa
  • <li class…

    and 404 error check ->Suspicious 404 Page:
    .ru/error-page.php">Россия


  • redirecting via htxp://www.avast.co.jp/error-page.php

    polonus

  • Thanks polonus. So does that mean that there is indeed malicious code on avast.com. Sry im not familiar with coding.

    Here is the code quttera is mentioning:

    [[.fn[c].src;r=r%26%26r+a();q=$('<iframetabindex="-1"title="empty"/>').hide().one("load",function(){r||l(a());n()}).attr("src",r||"javascript:0").insertAfter("body")[0].contentWindow;h.onpropertychange=function(){try{if(event.propertyName==="title"){q.document.title=h.title}}catch(s){}}}};j.stop=k;o=function(){returna(q.location.href)};l=function(v,s){varu=q.document,t=$.fn[c].domain;if(v!==s){u.title=h.title;u.open();t%26%26u.write('<script>document.domain="'+t+'"<\/script>');u.close();q.location.hash=v}}})();returnj})()})(jQuery,this);(function(a){a.easytabs=function(j,e){varf=this,q=a(j),i={animate:true,panelActiveClass:"active",tabActiveClass:"active",defaultTab:"li:first-child",animationSpeed:"normal",tabs:">ul>li",updateHash:true,cycle:false,collapsible:false,collapsedClass:"collapsed",collapsedByDefault:true,uiTabs:false,transitionIn:"fadeIn",transitionOut:"fadeOut",transitionInEasing:"swing",transitionOutEasing:"swi]]
    

    No it does not imply that. The code used is not suspicious or malicious as such. It is just a code insecurity that has some slight potential to be abused or the coding practices used by the external developers of that bit of code, quttera flags as not optimal where secure coding is concerned. They are more or less “preaching to the choir” of secure coding practitioners. And you know coders and developers are often under heavy pressure to deliver and secure coding is not always their first priority. So nothing to be alarmed about, just a hick up that could be coded better.
    Actually it is the tiny bit

    %26%26r
    that alerted Quttera’s…

    polonus

    okay thanks. I was a bit worried at the beginning but now i can relax :slight_smile: Could you elaborate whats so bad about this “%26%26r”?

    Nothing so bad about it, only reason it is being flagged because it is hidden code and the quttera scanner stumbles on that accent mark and so flags it, so it could be a hidden frame color code. It is just flagged because in a strict sense it is not secure code hex…only under certain conditions the code could be insecure and being abused, here it is not.

    Examples of real xss attack code: <IMG%20SRC=‘%26%23x6a;avasc%26%23000010ript:a%26%23x6c;ert(document.%26%23x63;ookie)’>

    polonus