Reporting False Positives and Other Errors

Over the past few weeks I have been trying to impress upon the Avast team that bruutea.co.uk is NOT really infected with malware. Sadly I have been ignored by Avast at every turn. It would not be so bad if the software blocked the site for a legitimate reason but the Avast warning panel gives little or no information other than URL/MAL for the reason it is blocking the site. Reporting the find as a false positive leads to absolutely nowhere and I therefore don’t believe that Avast actually monitors the false-positive reports any longer.

Come on Avast… what are you playing at? You are putting yourself in a bad position with a legitimate business. They would be able to sue you for blocking their site under false pretences. Their claim for loss of business could be huge. We also need a more informative information panel that can tell us why you feel that the URL carries a hazard. And we need to see that you are actively listening to us. Else you will go the way of several security companies previously… down the pan because we will stop trusting you.

bruutea.co.uk is NOT malware!

Reported to Avast.

I see some evidence of malware coming from the IP you share at Shopify that could give ground to this, and so it is not only Avast reporting this, see: https://otx.alienvault.com/indicator/ip/23.227.38.32/

There is some jQuery library code that should be retired (zip file and save for later reference):
-http://bruutea.co.uk
Detected libraries:
jquery - 5f52c6aafe08e99b5fd74bc04431f32 : -http://cdn.shopify.com/s/assets/themes_support/api.jquery-5f52c6aafe08e99b5fd74bc04431f324d961490d08bb70ca69b5e05941aa4323.js
Info: Severity: medium
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-4969
http://research.insecurelabs.org/jquery/test/
Info: Severity: medium
http://bugs.jquery.com/ticket/11290
http://research.insecurelabs.org/jquery/test/
jquery - 1.10.0 : -http://cdn.shopify.com/s/files/1/0579/7597/t/3/assets/jquery-1.10.0.min.js?6564682951484476076
backbone.js - 0.9.10 : -http://cdn.shopify.com/s/files/1/0579/7597/t/3/assets/plugins.js?6564682951484476076
1 vulnerable library detected

Possible Frontend SPOF from on your website:

-fonts.googleapis.com - Whitelist
(47%) -
(46%) -
translate.google.com - Whitelist
(2%) -

So all in all I reckon it is not your domain, but rather the bad apples of domains that are your neighbours on that same IP that cause this qualification as “unsafe website”. So you could ask for an exclusion with an Avast Team Member and wait for their final verdict.

Interesting is that the main domain Domain -bruutea.co.uk. resolves to:
Canada 23.227.38.32 → http://toolbar.netcraft.com/site_report?url=bruutea.co.uk
Domain www.bruutea.co.uk. resolves to:
Canada 23.227.38.69 shop currently unavailable → http://toolbar.netcraft.com/site_report?url=www.bruutea.co.uk
Canada 23.227.38.71 shop currently unavailable tcpwrapped unsupported version
Canada 23.227.38.68 shop currently unavailable
Canada 23.227.38.70 shop currently unavailable → http://toolbar.netcraft.com/site_report?url=http://23.227.38.70

polonus (volunteer website security analyst and website error-hunter)

Over the past few weeks I have been trying to impress upon the Avast team that bruutea.co.uk is NOT really infected with malware.
avast doesn't say that the site is infected. It says that the domain and/or IP is blacklisted and that is true. Therefor it is not a false positive.

Blacklisted :
https://www.virustotal.com/en/url/1db59ee9c7952005b1ba18b637dc3d6f8a9a88184e820c1d91967c9f534660db/analysis/1456523430/
http://multirbl.valli.org/lookup/23.227.38.32.html

IDS detections :
http://urlquery.net/report.php?id=1456523632053
http://urlquery.net/report.php?id=1456523633246

Suspicious files (likely malware) :
http://quttera.com/detailed_report/bruutea.co.uk

JQuery problems (likely to cause infections) :
http://retire.insecurity.today/#!/scan/be970e803ae4ed83ff9bdc9e056b2198f1b051be51e760ec9425faa847c805e8

Inconsistent server configuration :
https://www.ssllabs.com/ssltest/analyze.html?d=bruutea.co.uk

Thank you Eddy for your results, and I like to add the following considerations.

And in the code flagged by Quttera as suspicious as with detected potentially suspicious initialization of function pointer to JavaScript method document.write __tmpvar615193464 = document.write;
just for security estimation depending on where the code has access to…for which there is ground as we consider the results of this scan: https://sritest.io/#report/ab2f3328-5c37-44a6-b970-4f8caad25903 13 issues…
a.o.:
Tag Result

Missing SRI hash Missing SRI hash Missing SRI hash Missing SRI hash Missing SRI hash Missing SRI hash Missing SRI hash Missing SRI hash Missing SRI hash Missing SRI hash

And then we find:
Results from scanning URL: -https://cdn.shopify.com/s/javascripts/trekkie.storefront.min.js?v=
Number of sources found: 131
Number of sinks found: 35
landing here: Results from scanning URL: -http://mangum38erlandsen.webgarden.com/scripts-b.js?v=163
Number of sources found: 170
Number of sinks found: 60 “How to cheat as well as hack the mobile game subway surfers for free”.

polonus

Hi,
This domain was blocked back in 2015 because of Angler EK. I do not see anything malicious on the domain right now, so I am unblocking it.