Avira false positive or an actual exploit?

Discussion in 'other anti-virus software' started by hekegeous, Nov 19, 2007.

Thread Status:
Not open for further replies.
  1. hekegeous

    hekegeous Registered Member

    Joined:
    Nov 19, 2007
    Posts:
    11
    Two days ago I tried opening a very well known online store and got a heuristics detection warning by Avira (HEUR/Exploit.HTML). After some snooping around I found a 0x0px iframe in the source loading an ad serving company URL (zedo.com) which is essentialy a obfuscated JS file which I have no idea how to deobfuscate. The url of the store is www. n e i m a n m a r c u s .com -> remove spaces to visit, since it could turn out to be an actual exploit there I rather not make it clickable / easily openable. Anyone who knows what they are doing willing to let me know if they get the same detection?

    The javascript it is loading is c1 . ze do . com/ pbar / v1-600 / c1/ jsc / bh_iframe.js

    I somehow don't like the sound of "bar" and "bh" in a 0x0 obfuscated JS script url, but maybe I'm just paranoid.

    Any enthusiasts feel like taking a closer look? I would really like to know if the machine got something through a real exploit or was it Avira doing it's job too enthusiastically and taking the 0x0 iframe with a obfuscated JS in it as a good enough of a reason to call it shady?

    Any input on the matter would be highly appreciated.
     
  2. bigc73542

    bigc73542 Retired Moderator

    Joined:
    Sep 21, 2003
    Posts:
    23,873
    Location:
    SW. Oklahoma
    I just went there with Avira premium and clicked all the links and sections and got no warnings. Here are my version stats. you might have a false positive. you could put it in virustotal if you have it.
     

    Attached Files:

  3. hekegeous

    hekegeous Registered Member

    Joined:
    Nov 19, 2007
    Posts:
    11
    Thanks,

    After I got that detection warning I did an "Access deny" tried running a full system scan which resulted in a black screen and buggy mouse movement which made me shut down that pc and not turn it on untill I know whats happening, so I don't have the file that was supposedly infected. I'm using the free version but afaik the detection engine and rules are the same as in Premium?
     
  4. bigc73542

    bigc73542 Retired Moderator

    Joined:
    Sep 21, 2003
    Posts:
    23,873
    Location:
    SW. Oklahoma
    I am not sure if Avira will run in safe mode but If I were you I would try a full scan in safe mode to see if it will detect and remove the problem. Or you might do a System restore to before the problem.
     
  5. hekegeous

    hekegeous Registered Member

    Joined:
    Nov 19, 2007
    Posts:
    11
    I will do that now and see what happens. Will report back with results. Thanks!
     
  6. bigc73542

    bigc73542 Retired Moderator

    Joined:
    Sep 21, 2003
    Posts:
    23,873
    Location:
    SW. Oklahoma
  7. hekegeous

    hekegeous Registered Member

    Joined:
    Nov 19, 2007
    Posts:
    11
    Full scan in safe mode didn't find anything. Funny thing is the file that was supposedly infected (found the name in event log) is no longer in IE7 Low cache folder, while the rest of the temporary files from that day are still there. Why/how did it go away on its own?
     
  8. bigc73542

    bigc73542 Retired Moderator

    Joined:
    Sep 21, 2003
    Posts:
    23,873
    Location:
    SW. Oklahoma
    If Avira denied access it might not have allowed it to remain on the comp.
     
  9. 212eta

    212eta Registered Member

    Joined:
    Nov 12, 2007
    Posts:
    67
    I decided to download the freeware version of AVIRA (i.e. AntiVir Personal Edition Classic v 7.0.6) and see by myself. Keep in mind three (3) things:
    1) I had just formated my pc (with just WinXP Pro SP2 and installed Drivers from some manufacturers' CDs: MotherBoard, Monitor etc.)
    2) avira.com was the only site I visited before installing avira.
    3) On purpose, I did NOT change any setting of the configuration.

    I updated Avira and started a FULL scan.
    The result? Fast enough BUT FULL of False Positives :thumbd::thumbd::thumbd:
    To be fair, this is something I also faced when I tried BitDefender AV 2008!:thumbd: :thumbd: :thumbd:

    A few hours ago, I downloaded the trial version of G DATA AntiVirusKit 2007.
    This is a superior product!:thumb::thumb::thumb: No comparison at ALL with AVIRA:thumbd::thumbd::thumbd:
    After the problems of NOD32 v3 and KAV 7.0, I am seriously thinking of buying
    G DATA AntiVirusKit 2007!
     
  10. fredra

    fredra Registered Member

    Joined:
    Jul 25, 2004
    Posts:
    366
    Hi bigc and hek
    This is strange .... I got the same notification from APSS and I had to deny.
    I think it must be a FP
    -avira.jpg

    bigc is usually accurate, and that is why I think it is strange
    Cheers
     
  11. 19monty64

    19monty64 Registered Member

    Joined:
    Apr 10, 2006
    Posts:
    1,302
    Location:
    Nunya, BZ
    I decided to download the freeware version of AVIRA and see by myself. Keep in mind three (3) things:
    1) I had just formated my pc (with just WinXP Pro SP2 and installed Drivers from some manufacturers' CDs: MotherBoard, Monitor etc.)
    2) avira installer was on CD so I didn't use internet at all
    3) On purpose, I did NOT change any setting of the configuration.

    I updated Avira and started a FULL scan.
    The result? Fast enough (under 12 mins.) and not a single false positive. *****:thumb: :thumb:

    This was done on 10/24/2007 with services on power user settings, so no system restore. YMMV
     
  12. hekegeous

    hekegeous Registered Member

    Joined:
    Nov 19, 2007
    Posts:
    11
    Fredra,

    Do you have a copy of the file from your browser cache or did it get booted? Im curious as to what's triggering the heuristic engine to flag it.
     
  13. SteveBlanchard

    SteveBlanchard Registered Member

    Joined:
    Nov 4, 2007
    Posts:
    312
    Location:
    ENGLAND
    Just looked at the site in FF & OE7, then ran a squared free, it didn't find anything, so it's a FP.
     
  14. Thug21

    Thug21 Registered Member

    Joined:
    Jun 17, 2007
    Posts:
    141
    Location:
    Illinois
    A Zedo iframe on a site sound like bad news to me. What the heck is a bh_js? Some browser helper thing? o_O
    Although I'm not expert, that sounds suspicious.
     
  15. pykko

    pykko Registered Member

    Joined:
    Apr 27, 2005
    Posts:
    2,236
    Location:
    Romania...and walking to heaven
    I don't get that detection on my computer. I'm using Avira Security Suite, latest VDF.
     
  16. fredra

    fredra Registered Member

    Joined:
    Jul 25, 2004
    Posts:
    366
    Hi
    @hek
    No I don't have the file

    When bigc and pykko found nothing, I KNEW something else was wrong.
    I updated APSS and it found nothing, so it WAS a false positive and the update fixed it.

    Much ado about nothing..lol
    Sorry to all :blink:
    I will now go back to my corner.
    Cheers :)
     
  17. Thug21

    Thug21 Registered Member

    Joined:
    Jun 17, 2007
    Posts:
    141
    Location:
    Illinois
    I just went to neimanmarcus.com and no word from Antivir. However, that particular .js file was nowhere to be found in the page source. Haven't tried the exact url to the js iframe.
     
  18. 212eta

    212eta Registered Member

    Joined:
    Nov 12, 2007
    Posts:
    67
    What about the ones who want to download and try AVIRA CLASSIC?
    Do we have to use avira installer on CD?
    After downloading it, I didn't use internet at all. (I am on adsl dial up).
     
  19. 19monty64

    19monty64 Registered Member

    Joined:
    Apr 10, 2006
    Posts:
    1,302
    Location:
    Nunya, BZ
    What about themo_O
    Do whatever you want.
    I was pointing out that the same experience with a couple of variations produced entirely different results. Hence YMMV (your mileage may vary)
    I wasn't suggesting anyone to re4mat, save installers to CD or trust anyone's results.
     
  20. solcroft

    solcroft Registered Member

    Joined:
    Jun 1, 2006
    Posts:
    1,639
    The script is not obfuscated. I've only taken a cursory look at it, but the script itself isn't an exploit. My first impression of it was that it's used to serve tracking cookies to the user instead of trojan horses; will take another look at it when I get home.

    As for how to interpret Avira's HTML "heuristic", it just triggers on any iframe with width = height = 0. Do keep this in mind before panicking.
     
  21. Macstorm

    Macstorm Registered Member

    Joined:
    Mar 7, 2005
    Posts:
    2,531
    Location:
    Sneffels volcano
    i also got the warning message when using antivirPEPremium, but just after reloading above mentioned webpage (heuristics at medium settings). File already sent using the 'quarantine manager' :D
     

    Attached Files:

    • nm.jpg
      nm.jpg
      File size:
      31 KB
      Views:
      435
  22. hekegeous

    hekegeous Registered Member

    Joined:
    Nov 19, 2007
    Posts:
    11
    Thanks for the reply and your insight, solcroft. I have tested this the moment after getting the warning though and can positively state that Avira's heuristic engine that detected that site as loading a baddie does not treat 0x0 iframes as exploit-warning worthy, maybe it does add to the final suspiciousness score a bit though. Try uploading a page with a 0x0 remotely loading iframe + a few 0x0 images somewhere and load it - avira will not make a sound, at least it didn't for me. Something else must be setting it off.
     
  23. hekegeous

    hekegeous Registered Member

    Joined:
    Nov 19, 2007
    Posts:
    11
    Could you please be so kind as to post the results here once Avira investigates it? Thanks
     
    Last edited: Nov 20, 2007
  24. Macstorm

    Macstorm Registered Member

    Joined:
    Mar 7, 2005
    Posts:
    2,531
    Location:
    Sneffels volcano
    It's been 2 days but i haven't received reply yet, it's the first time i submit to them through quarantine manager so i don't know if that's an usual delaying. :)
     

    Attached Files:

    • nm.jpg
      nm.jpg
      File size:
      27.2 KB
      Views:
      296
  25. zfactor

    zfactor Registered Member

    Joined:
    Mar 10, 2005
    Posts:
    6,012
    Location:
    on my zx10-r
    i see the same results it pops up as a hueristic exploit. medium settings and just updated...i close ff and re-open it and re-load the page and it goes through fne now with no warnings..

    what does re-loading it do? should it not result the same way?
     
Loading...
Thread Status:
Not open for further replies.