So earlier, I loaded http://www.avast.com/eng/download-avast-home.html earlier, to grab the URL to paste in a forum to help some Norton trialware victims.
When I closed it, I saw it was making a request to a URL on the ssl-hints.netflame.cc domain name.
Being a naturally curious person, I looked into that domain and found two things:

• it’s part of fireclick.com which Avast appears to use for their web analytics
• it contains this interesting file hxxp://ssl-hints.netflame.cc/Fc/FcPred.class , which freaks Avast out if you try to open it.

So, uh… what’s going on here? Is it a false positive, or is Avast’s web analytics provider hosting malware on the side?

For reference, this is what Avast thinks of it:

A Virus Was Found!

There is no reason to worry, though. avast! has stopped the
malware before it could enter your computer. When you click on the
"Abort connection" button, the download of the dangerous file will
be canceled.

File name: hxxp://ssl-hints.netflame.cc/Fc/FcPred.class
Malware name: Other:Malware-gen
Malware type: Virus/Worm
VPS version: 090113-1, 01/13/2009

Here’s what Virus Total think of the file: http://www.virustotal.com/analisis/2bd0257964b37d65fa03e9eb361d8b3b

Based on that, I’m guessing it’s probably a “false positive”, but I’d rather let the professionals sort it out.

Thanks,
Henri

*edited to maybe protect the non-avast users in this forum. :-X

Maybe the problem is not a file but an encrypted code in the homepage? ???
Please, do not post live link to malware or false positives in the forum… edit to hxxp for instance.

Hi Tech,

There is more to it: http://www.collettivamente.com/articolo/956345.html
Kaspersky also finds this as: Trojan-Downloader.Java.Agent.c
Follow the advice given there:
Update to the latest version of SunJava or check using the online Secunia PSI:
http://secunia.com/vulnerability_scanning/online/?task=start

1. Dump the contents of your IE cache -
   Start → settings → control panel → Internet options →
   delete files

2. Dump the contents of the Mozilla FireFox Cache { if you use FireFox }
   Tools → Options → Privacy → Cache → Clear

3. Dump the contents of your Sun Java cache -
   Control panel → Java applet → cache → clear
   or
   Control panel → Java applet → general → settings →
   delete files

4. Re-scan your system using your anti virus software,

polonus

Ah yes, I forget my manners sometimes. I’ve updated the suspicious url to use hxxp://.

I’ve also triggered a more recent analysis through virus total (the first link was over a month old)
The new results are here: http://www.virustotal.com/analisis/1004085aa922a6f4d997b624c862f8b9

The old results had 4 matches, the new ones have 3, so one AV doesn’t think this is dangerous anymore.
Also note that Kaspersky does not flag it as dangerous.

All of this seems fairly consistent with a false positive getting slowly fixed in individual AV products.

Another item to look at: http://www.dslreports.com/forum/r18361569-Trojan-or-FP-Bed-Bath-and-Beyond~start=20

Another forum where users wondered what this was and wasn’t.

Firstly as far as I’m aware avast doesn’t use “fireclick.com which Avast appears to use for their web analytics” but uses google-analytics and possibly akamai.net.

I use firefox with NoScript and they are the only ones I see in the main avast.com site. Now I don’t know where you gathered the information from but all http traffic on port 80 goes through the avast web shield to be scanned (probably why avast freaked out as you say). So if you see that attributed to the web shield, it is only the localhost proxy filter and not what originated the communication.

They appear to use both.
Source of http://www.avast.com/eng/download-avast-home.html ,lines 23 to 52:

<title>Download FREE antivirus software - avast! Home Edition</title>
<!-- COUNTERS BEGIN -->
<!-- Google analytics start -->
<script src="http://www.google-analytics.com/urchin.js" type="text/javascript">
</script>
<script type="text/javascript">
_uacct = "UA-1405551-1";
_udn="avast.com";
_uhash="off";
_ulink=1;
urchinTracker();
</script>
<!-- Google analytics end -->
<!-- Fireclick, Inc - COPYRIGHT 1999-2008 - Please do not modify this code-->
<script type="text/javascript">
<!--
function handle(){return true;}
window.onerror=handle;
var fc_host='www.avast.com';
document.write('<scr'+'ipt '
+'src="'+((location.protocol=='http:')?'http:':'https:')
+'//a248.e.akamai.net/f/248/5462/3h/hints.netflame.cc/service/sc'+'ript/'+fc_host+'"></scr'+'ipt>');
function fcce(){if (typeof(fcnf)!="undefined") fcnf();}
var fcfn=window.onload;
function fcco(){window.setTimeout("fcce();", 100);fcfn();}
window.onload= null==fcfn ? fcce:fcco;
// -->
</script>
<!-- Fireclick, Inc - COPYRIGHT 1999-2008 - Please do not modify this code-->

In term of network traffic, this seems to mean (beside the script fetch from akamai.net):

• upon page load, a call to http://sss-hints.netflame.cc/service/cookies.js?host=www.avast.com
• upon page unload, a call to http://ssl-hints.netflame.cc/hint?report={long string of stuff}&r={Math.random()}

Nothing nefarious there, but yes, they do use them, so the irony-meter is still on.

Thanks for the update I didn’t look at that page just a couple of others and NoScript showed what scripts were on the page.

I can’t see why they would have the document write in that form, perhaps to avoid html interpreting the script word so they use ‘scr’+‘ipt’. I have to admit when I see this I wonder why too.