Steam Storefront hacked?: Win32:Malware-gen FP

Viruses and worms
1

Hi Guys,

I went to download the HLDL Tool from the steam storefront and got this message.

Infection blocked

[b]URL[/b]
hxxp://storefront.steampowered.com/download/hldsupdatetool.exe
IP Lookup/Reverse Lookup: 96.17.227.235 ISP: akamai technologies RDNS: a96-17-227-235.deploy.akamaitechnologies.com 
[b]IP used during scan detection[/b]: 23.195.76.60 https://stat.ripe.net/23.195.76.60#tabId=at-a-glance Location: Amsterdam

IP Block registered by ARIN: http://whois.arin.net/rest/net/NET-23-195-64-0-1/pft

[b]Infection[/b]
Win32:Malware-gen


VT Scan: https://www.virustotal.com/en/url/fd9a33c6cb5207523e1c9b6ff47f9449a871defaaa818548e3f5f86ef9f880a4/analysis/1405869827/ [Nothing Found]
VT Scan 2: https://www.virustotal.com/en/url/12fa378450b8612a1aca43fe15d94eb464409cca9807df364a75d9b8231aaef4/analysis/1405869910/ [Nothing Found]
URLV: http://www.urlvoid.com/scan/storefront.steampowered.com/ [Nothing Found]
KM: http://killmalware.com/storefront.steampowered.com/download/hldsupdatetool.exe [Nothing Found]
Sucuri: http://sitecheck.sucuri.net/results/storefront.steampowered.com/download/hldsupdatetool.exe [Nothing Found]

MBAM Scan: No Malware Detected
A/V Scan: No Threat Detected

A/V Log 20/07/2014 16:09:08 http://storefront.steampowered.com/download/hldsupdatetool.exe [L] Win32:Malware-gen (0)
A/V Log 2 20/07/2014 16:57:53 http://storefront.steampowered.com/download/hldsupdatetool.exe [L] Win32:Malware-gen (0)

After this blocking session I am unable to visit the site to download the tool. getting an error saying the server had reset the connection… I believe A/V is currently blocking this address however as the VT reports and analysis shows this link is a False Positive.

I have sent Avast a FP report. Hopefully they will remove this link from there blacklist in the future.

I’m rather concerned.
Oliver

2

Thanks for pushing the post over to the right section guys. I can still confirm this FP is active.

3

First submission 2007-11-14 23:00:29 UTC ( 6 years, 8 months ago )

You can upload files and report issues to avast here : http://www.avast.com/contact-form.php (select subject according to Your case)

You can use mail
send to virus@avast.com in a password protected zip file
mail subject: False Positive / undetected sample (select subject according to your case)
zip password: infected

or you can send files from avast chest
how to use the chest. http://www.avast.com/faq.php?article=AVKB21

4

Hey Pondus!

I have sent an FP about the site (as it was a web based threat rather than a file based one), Hopefully someone at the Lab will see it and investigate further. Unfortunately I am unable to download the file as the server keeps resetting the connection and being blocked by the A/V. I have provided a VT version that has the full SHA fingerprints to verify the file’s integrity.

Thanks again
Oliver