Skip navigation
This discussion is archived
bswanwick
Currently Being Moderated

Attempted Trojan was downloaded from forums.adobe.com

Aug 28, 2012 8:31 AM

Tags: #forum #trojan #forums #trojans

While viewing a thread in the Adobe forums my Avast! Antivirus blocked a script running in Firefox. It attempted to download a trojan to my PC.

 

The source of the script was: http://forums.adobe.com/4.5.6/resources/scripts/gen/220b1b06a29F901e1d 24252ac800883e.js.

 

The infection was: JS:Blacole-AV [Trj]

 

screenshot.png

EDIT: It is happening more frequently now from various links. Like: http://forums.adobe.com/community/coldfusion

 

Message was edited by: bswanwick

 
Replies
  • Currently Being Moderated
    Aug 28, 2012 9:15 AM   in reply to bswanwick

    Thank you for the information. We are invesitigating it now.

     
    |
    Mark as:
  • Currently Being Moderated
    Aug 28, 2012 9:22 AM   in reply to Terri Stone

    Is anyone else seeing this? We have a case opened with Jive to investigate it.

     
    |
    Mark as:
  • Currently Being Moderated
    Aug 28, 2012 11:02 AM   in reply to adobe-admin

    Have not encountered such, over about 1/2 dozen Adobe Forums - so far.

     

    Hunt

     
    |
    Mark as:
  • Noel Carboni
    23,455 posts
    Dec 23, 2006
    Currently Being Moderated
    Aug 28, 2012 11:23 AM   in reply to adobe-admin

    No, I'm fully protected by the same AV bswanwick is, and I'm not seeing any malware.

     

    Edit:  I just verified (via IE9's F12 Developer Tools) that I am indeed loading:

     

    /4.5.6/resources/scripts/gen/220b1b06a29f901e1d24252ac800883e.js

     

    Whether we all get the data from the same servers is not certain.

     

    -Noel

     
    |
    Mark as:
  • Currently Being Moderated
    Aug 28, 2012 11:25 AM   in reply to bswanwick

    Almost positive this is a false-positive from Avast. Jive support is bringing in their engineering and hosting people for more investigation.

     
    |
    Mark as:
  • Currently Being Moderated
    Aug 28, 2012 12:31 PM   in reply to adobe-admin

    Not able to duplicate this with the latest update from Avast. Can you provide me with the current virus definition you have and the current program version?

     

    Thanks!

     
    |
    Mark as:
  • Currently Being Moderated
    Aug 28, 2012 12:32 PM   in reply to bswanwick

    From Jive support:

     

    We have concluded that this was an issue with the virus definitions of Avast (#120828-1). If you update to the newest virus definitions (currently #120828-2), you should not receive the warning anymore as it has fixed the problem. This was a simple false positive, so there is no need to worry about infected computers due to this.

     
    |
    Mark as:
  • Currently Being Moderated
    Aug 28, 2012 6:33 PM   in reply to adobe-admin

    John,

     

    We have concluded that this was an issue with the virus definitions of Avast (#120828-1). If you update to the newest virus definitions (currently #120828-2), you should not receive the warning anymore as it has fixed the problem.

     

    Good to know, and thank you for reporting.

     

    Appreciated,

     

    Hunt

     
    |
    Mark as:
  • Currently Being Moderated
    Aug 28, 2012 7:19 PM   in reply to adobe-admin

    Perhaps the threat wasn't fase-positive according to this link:

     

    <http://blog.fireeye.com/research/2012/08/zero-day-season-is-not-over-y et.html>

     
    |
    Mark as:
  • Currently Being Moderated
    Aug 28, 2012 8:13 PM   in reply to mytaxsite.co.uk

    Why is it some one finds a bug/exploit and rather than notfying the Software Manufacturers on the QT, instead publishes it all for to see including the bad guys. Guaranteeing that the exploit will be used.

     

    I'm sure there are people heare smart enough to use it and might even consider it. And someone has provided a link on howto create it.

     

    I'm not smart enough, just looking as the code given makes me zone out and gives hradache looking at it.

     
    |
    Mark as:
  • Currently Being Moderated
    Aug 28, 2012 8:46 PM   in reply to Phillip Jones

    Nothing to do with me.  I was simply saying that bswanwick didn't have "false-positive" as suggested above because this was announced all over the place on the web.  Yes avast is not a good anti-virus but it is dangerous to discount everything as false-positive when Jive might be under attach from outside NOT from USERs here.

     
    |
    Mark as:
  • Noel Carboni
    23,455 posts
    Dec 23, 2006
    Currently Being Moderated
    Aug 28, 2012 10:30 PM   in reply to mytaxsite.co.uk

    What makes you think Avast! is not good?

     

    -Noel

     
    |
    Mark as:
  • Currently Being Moderated
    Aug 29, 2012 7:18 AM   in reply to bswanwick

    Thank you for reporting the definitions version and the state of things now.

     

    Good luck,

     

    Hunt

     
    |
    Mark as:
  • Currently Being Moderated
    Aug 29, 2012 8:01 AM   in reply to mytaxsite.co.uk

    I wasn't referring to you. I was referring to the person who created the link to start with.

    And BTW: In my post I made it sound like the forum visitors would use the code. I'm sure the folks here are honorable enough not to use it. I know I wouldn't even if I could make sense of the code.

     
    |
    Mark as:
  • Currently Being Moderated
    Aug 29, 2012 7:50 PM   in reply to mytaxsite.co.uk

    mytaxsite.co.uk wrote:

     

    Perhaps the threat wasn't fase-positive according to this link:

     

    <http://blog.fireeye.com/research/2012/08/zero-day-season-is-not-over-y et.html>

    This is about the well-publicized vulnerability in Java 1.7; Jive does not use Java, to the best of my knowledge.  (Java is not related to JavaScript in any way.)

     
    |
    Mark as:
  • Currently Being Moderated
    Sep 1, 2012 8:56 AM   in reply to bswanwick

    Security Alert for CVE-2012-4681 released August 30, 2012 by Oracle to address 3 distinct but related vulnerabilities (CVE-2012-4681, CVE-2012-1682 and CVE-2012-3136) and one security issue (CVE-2012-0547) affecting Java running in desktop browsers.

     

    These - high severity - vulnerabilities can be exploited to install malware, including Trojans, onto the targeted system. This malware may in some instances be detected by current antivirus signatures upon its installation.

     

    https://blogs.oracle.com/security/entry/security_alert_for_cve_20121

     
    |
    Mark as:
  • Noel Carboni
    23,455 posts
    Dec 23, 2006
    Currently Being Moderated
    Sep 1, 2012 10:37 AM   in reply to RickCP

    Thanks for the info, Rick, but...  What's the relationship you're seeing between these announcements and this thread?  I thought we'd written this off as a false positive.

     

    -Noel

     
    |
    Mark as:
  • Currently Being Moderated
    Sep 3, 2012 3:18 PM   in reply to Noel Carboni

    I was just following @mytaxsite's post #9 above concerning there might've been something more than just a 'simple false positive' as concluded by Jive support.

     

    If it was so then why is it that the referenced page isn't available since then?

     

    While I think there might've been a redirecting attempt, it was probably 'to' and not 'from' that Adobe page, originated by a malicious javascript on bswanwick's FF browser?

     

    Anyway, without further information (if reported to Avast!) from @bswanwick there's nothing else to add but that I'm glad he is (and the forums) Ok.

    ______________________________________________________

     

    PD.- Security researchers' reports on the BlackHole Kit to exploit Java (and others) flaws - Did you read the latest?

    http://www.theregister.co.uk/2012/08/31/critical_flaw_found_in_patched _java/

     
    |
    Mark as:
  • Currently Being Moderated
    Sep 3, 2012 7:09 PM   in reply to RickCP

    RickCP wrote:

     

    PD.- Security researchers' reports on the BlackHole Kit to exploit Java (and others) flaws - Did you read the latest?

    http://www.theregister.co.uk/2012/08/31/critical_flaw_found_in_patched _java/

    But how is this related to this topic, or this forum?

     
    |
    Mark as:

More Like This

  • Retrieving data ...

Bookmarked By (0)