Why this legitimate newspaper site is detected as virus by avast?

hXXp://tech.bdnews24.com/
this is a well known newspaper site and there is no reason to believe that they will put virus in there site unless they wish not be in business!!

It is really funny as soon as I tried to enter this site, avast pops up messages. Their main home page www.bdnews24.com works fine.


Welcome to the forums, newuser2009. :slight_smile:

The site at the first link has an iframe infection. In the source code, it looks like this :

(I replaced the http with hxxp to break the link to malware) You should also do the same with the first link you posted above.

There was no alert from avast on the second link.


Generally, avast detection is accurate in these cases.
Isn’t it an encrypted/obfuscated script or iframe?
Wasn’t the site hacked?

Hi DavidR,

Bad stuff detektor gives:
Zeroiframes detected: 18
Check took 13.22 seconds

(Level: 0) Url checked:
hxxp://tech.bdnews24.com/
Zeroiframes detected on this site: 18
No ad codes identified

(Level: 1) Url checked: (iframe source)
hxxp://betbigwager.cn/in.cgi?income62
Zeroiframes detected on this site: 0
No ad codes identified

(Level: 2) Url checked: (iframe source)
hxxp://betbigwager.cn/cache/readme.pdf
Blank page / could not connect
No ad codes identified

(Level: 2) Url checked: (iframe source)
hxxp://betbigwager.cn/cache/flash.swf
Blank page / could not connect
No ad codes identified

(Level: 1) Url checked: (iframe source)
hxxp://betbigwager.cn/in.cgi?income61
Blank page / could not connect
No ad codes identified

(Level: 1) Url checked: (iframe source)
hxxp://betbigwager.cn/in.cgi?income61
Blank page / could not connect
No ad codes identified

(Level: 1) Url checked: (iframe source)
hxxp://betbigwager.cn/in.cgi?income62
Blank page / could not connect
No ad codes identified

(Level: 1) Url checked: (iframe source)
hxxp://betbigwager.cn/in.cgi?income61
Blank page / could not connect
No ad codes identified

(Level: 1) Url checked: (iframe source)
hxxp://betbigwager.cn/in.cgi?income62
Blank page / could not connect
No ad codes identified

(Level: 1) Url checked: (iframe source)
hxxp://betbigwager.cn/in.cgi?income61
Blank page / could not connect
No ad codes identified

(Level: 1) Url checked: (iframe source)
hxxp://betbigwager.cn/in.cgi?income62
Blank page / could not connect
No ad codes identified

(Level: 1) Url checked: (iframe source)
hxxp://betbigwager.cn/in.cgi?income61
Blank page / could not connect
No ad codes identified

(Level: 1) Url checked: (iframe source)
hxxp://betbigwager.cn/in.cgi?income62
Blank page / could not connect
No ad codes identified

(Level: 1) Url checked: (iframe source)
hxxp://betbigwager.cn/in.cgi?income61
Blank page / could not connect
No ad codes identified

(Level: 1) Url checked: (iframe source)
hxxtp://betbigwager.cn/in.cgi?income62
Blank page / could not connect
No ad codes identified

(Level: 1) Url checked: (iframe source)
hxxp://betbigwager.cn/in.cgi?income61
Blank page / could not connect
No ad codes identified

(Level: 1) Url checked: (iframe source)
hxxp://betbigwager.cn/in.cgi?income62
Blank page / could not connect
No ad codes identified

(Level: 1) Url checked: (iframe source)
hxxp://betbigwager.cn/in.cgi?income61
Blank page / could not connect
No ad codes identified

(Level: 1) Url checked: (iframe source)
hxxp://betbigwager.cn/in.cgi?income62
Blank page / could not connect
No ad codes identified

(Level: 1) Url checked: (iframe source)
hxxp://betbigwager.cn/in.cgi?income61
Blank page / could not connect
No ad codes identified

(Level: 1) Url checked: (iframe source)
hxxp://betbigwager.cn/in.cgi?income62
Blank page / could not connect
No ad codes identified

(Level: 1) Url checked: (script source)
hxxp://tech.bdnews24.com/scripts/jquery-1.1.3.1.pack.js
Zeroiframes detected on this site: 0
No ad codes identified

polonus

I see its some iframe thing. It is 24 hour online newspaper. Also, they honestly have no intention of malware business.

If avast keeps saying “virus found” thing, it simply scares users(who does not know whats going on) and when user see that only avast does it, then they loose faith with avast.

Whats the fix here? Is there anyway avast can communicate with them?

NOD32 is also detecting iFrame hijack on that webpage plus explanation by few members above confirms that. Hidden iframes with 1x1 size are always VERY suspicious.

It doesn’t have to be in their interest to spread malware. This is the best way how bad guys confuse users.
They hack a legitimate webpage and insert their own bad iframe. Users are then wondering why is avast! all of the sudden alerting on a site that used to be clean. But in this case detection is correct.
This is a very common way to spread malware these days.

What can we do about it ? As users, should we stop visiting that site or avast can communicate with them?
i just found their another page is also problematic;
hxxp://glitz.bdnews24.com/

The short answer is the site has been hacked and someone, webmaster or owner/web designer is going to have to go through the site pages (html code) looking for these inserted iframe tags and remove them.

That however, is only part of the resolution as you have to stop/plug the security vulnerability that allowed the site to be hacked. For that you may need to speak to your Host provider as some site software if you use PHP or other content management software is fully up to date, change passwords to something stronger for modifying or uploading pages etc.

If you don’t fall into one of those categories (webmaster or owner/web designer) then all you as a user can do is alert them to the problem.


And, when you contact the webmaster of the site, you might also give them a link (link to your first post) to this tread so that they can better understand the problem.

Here is the link to your first post :

http://forum.avast.com/index.php?topic=44594.msg373509#msg373509


User himself cannot do much, but you can report the problem t a webpage administrator and they’ll fix it.

Thank you all for help. I am just an user so all I can do is to report them. I sent one email but don’t know if they will read it.
http://www.bdnews24.com/contact.php?cna=CONTACT%20US

there is no webmaster address.
Only annotance for me is that i can’t read those pages for now until those are fixed.

It’s better that you can’t read them then get infected with some virus that screws up your computer I guess…

Hopefully they’ll fix their site after they receive your email. It worked for me in another case… http://forum.avast.com/index.php?topic=43712.0

They still haven’t fixed it. Dangerous website! Newuser2009, please don’t be tempted to disable your virusscanner in order to be able to read the site anyway. That site has been hacked and is infected.

Yes still infected the two hidden iframes are still there, directly after the opening Body tag in the page.

This site isn’t alone in being hacked as a google search for the betbigwager.cn shows, http://www.google.com/search?q=betbigwager.cn

Yes, it has been a problem. I I tried to email them but no reply and no ifx. I have found few other similar newspaper sites that are similarly hacked I gues. Here is another one:
hxxp://www.prothom-alo.com/

Please ‘modify’ your post change the URL from http to hXXp, to break the link and avoid accidental exposure to suspect sites, thanks.

It looks like that site has been hacked but in a different way, they appear to have hacked the custom 404 error page, and either deleted the favicon.ico file, which a browser looks for. If it is missing then the 404 error page which has been hacked would be loaded and the dirty deed (redirect script) is done.

Yep, seen that one before. Looks like they’ll have to re-create their error pages. Changing their passwords would be a good idea too, as well as updating the computers.


newuser2009 -

Please change the links in your posts so that the links are not active. Replacing the at least one “w” with an “x” will do.


Of you report a site, make it non-clickable like hxtp:// etc.
Malicious software includes 451 scripting exploit(s).

Malicious software is being hosted through 2 domains, e.g. 94.247.2.0/, splbd.com/.

This site was hosted on 1 network(s) including AS33070 (RMH).

Has this site been hosting malware recently?
Malicious software has been infecting 3 domains, that is nagoriknews.com/, onestopit.net/, projanmo.com/.

Apparently one site has been cleansed: http://linkscanner.explabs.com/linkscanner/checksite.aspx?NS=ChkOnly&SRC=apps.explabs.com&CS=http://www.prothom-alo.com/

polonus

No, it is not cleaned. I still see lot of problems with this site hxxp://www.prothom-alo.com/ is loaded and while navigating in different pages.