Skip navigation
This discussion is locked
bswanwick
bswanwick Calculating status...
Currently Being Moderated

Attempted Trojan was downloaded from forums.adobe.com

Aug 28, 2012 8:31 AM

Tags: #forum #trojan #forums #trojans

While viewing a thread in the Adobe forums my Avast! Antivirus blocked a script running in Firefox. It attempted to download a trojan to my PC.

 

The source of the script was: http://forums.adobe.com/4.5.6/resources/scripts/gen/220b1b06a29F901e1d 24252ac800883e.js.

 

The infection was: JS:Blacole-AV [Trj]

 

screenshot.png

EDIT: It is happening more frequently now from various links. Like: http://forums.adobe.com/community/coldfusion

 

Message was edited by: bswanwick

2205 Views   20 Replies   Latest reply: Pat Willener, Sep 3, 2012 7:09 PM
 
Replies
  • Terri Stone
    Currently Being Moderated
    1. Terri Stone,
    Aug 28, 2012 9:15 AM   in reply to bswanwick
    Report

    Thank you for the information. We are invesitigating it now.

     
    |
    Mark as:
  • adobe-admin
    Currently Being Moderated
    2. adobe-admin,
    Aug 28, 2012 9:22 AM   in reply to Terri Stone
    Report

    Is anyone else seeing this? We have a case opened with Jive to investigate it.

     
    |
    Mark as:
  • Bill Hunt
    Currently Being Moderated
    3. Bill Hunt,
    Aug 28, 2012 11:02 AM   in reply to adobe-admin
    Report

    Have not encountered such, over about 1/2 dozen Adobe Forums - so far.

     

    Hunt

     
    |
    Mark as:
  • Noel Carboni
    21,020 posts
    Dec 23, 2006
    Currently Being Moderated
    4. Noel Carboni,
    Aug 28, 2012 11:23 AM   in reply to adobe-admin
    Report

    No, I'm fully protected by the same AV bswanwick is, and I'm not seeing any malware.

     

    Edit:  I just verified (via IE9's F12 Developer Tools) that I am indeed loading:

     

    /4.5.6/resources/scripts/gen/220b1b06a29f901e1d24252ac800883e.js

     

    Whether we all get the data from the same servers is not certain.

     

    -Noel

     
    |
    Mark as:
  • adobe-admin
    Currently Being Moderated
    5. adobe-admin,
    Aug 28, 2012 11:25 AM   in reply to bswanwick
    Report

    Almost positive this is a false-positive from Avast. Jive support is bringing in their engineering and hosting people for more investigation.

     
    |
    Mark as:
  • adobe-admin
    Currently Being Moderated
    6. adobe-admin,
    Aug 28, 2012 12:31 PM   in reply to adobe-admin
    Report

    Not able to duplicate this with the latest update from Avast. Can you provide me with the current virus definition you have and the current program version?

     

    Thanks!

     
    |
    Mark as:
  • adobe-admin
    Currently Being Moderated
    7. adobe-admin,
    Aug 28, 2012 12:32 PM   in reply to bswanwick
    Report

    From Jive support:

     

    We have concluded that this was an issue with the virus definitions of Avast (#120828-1). If you update to the newest virus definitions (currently #120828-2), you should not receive the warning anymore as it has fixed the problem. This was a simple false positive, so there is no need to worry about infected computers due to this.

     
    |
    Mark as:
  • Bill Hunt
    Currently Being Moderated
    8. Bill Hunt,
    Aug 28, 2012 6:33 PM   in reply to adobe-admin
    Report

    John,

     

    We have concluded that this was an issue with the virus definitions of Avast (#120828-1). If you update to the newest virus definitions (currently #120828-2), you should not receive the warning anymore as it has fixed the problem.

     

    Good to know, and thank you for reporting.

     

    Appreciated,

     

    Hunt

     
    |
    Mark as:
  • mytaxsite.co.uk
    Currently Being Moderated
    9. mytaxsite.co.uk,
    Aug 28, 2012 7:19 PM   in reply to adobe-admin
    Report

    Perhaps the threat wasn't fase-positive according to this link:

     

    <http://blog.fireeye.com/research/2012/08/zero-day-season-is-not-over-y et.html>

     
    |
    Mark as:
  • Phillip Jones
    Currently Being Moderated
    10. Phillip Jones,
    Aug 28, 2012 8:13 PM   in reply to mytaxsite.co.uk
    Report

    Why is it some one finds a bug/exploit and rather than notfying the Software Manufacturers on the QT, instead publishes it all for to see including the bad guys. Guaranteeing that the exploit will be used.

     

    I'm sure there are people heare smart enough to use it and might even consider it. And someone has provided a link on howto create it.

     

    I'm not smart enough, just looking as the code given makes me zone out and gives hradache looking at it.

     
    |
    Mark as:
  • mytaxsite.co.uk
    Currently Being Moderated
    11. mytaxsite.co.uk,
    Aug 28, 2012 8:46 PM   in reply to Phillip Jones
    Report

    Nothing to do with me.  I was simply saying that bswanwick didn't have "false-positive" as suggested above because this was announced all over the place on the web.  Yes avast is not a good anti-virus but it is dangerous to discount everything as false-positive when Jive might be under attach from outside NOT from USERs here.

     
    |
    Mark as:
  • Noel Carboni
    21,020 posts
    Dec 23, 2006
    Currently Being Moderated
    12. Noel Carboni,
    Aug 28, 2012 10:30 PM   in reply to mytaxsite.co.uk
    Report

    What makes you think Avast! is not good?

     

    -Noel

     
    |
    Mark as:
  • bswanwick
    Currently Being Moderated
    13. bswanwick,
    Aug 29, 2012 6:36 AM   in reply to adobe-admin
    Report

    As of this morning I am on virus definition 120829-0 and can confirm that I am no longer receiving any messages from Avast! while browsing the Adobe forums.

     
    |
    Mark as:
  • Bill Hunt
    Currently Being Moderated
    14. Bill Hunt,
    Aug 29, 2012 7:18 AM   in reply to bswanwick
    Report

    Thank you for reporting the definitions version and the state of things now.

     

    Good luck,

     

    Hunt

     
    |
    Mark as:
  • Phillip Jones
    Currently Being Moderated
    15. Phillip Jones,
    Aug 29, 2012 8:01 AM   in reply to mytaxsite.co.uk
    Report

    I wasn't referring to you. I was referring to the person who created the link to start with.

    And BTW: In my post I made it sound like the forum visitors would use the code. I'm sure the folks here are honorable enough not to use it. I know I wouldn't even if I could make sense of the code.

     
    |
    Mark as:
  • Pat Willener
    Currently Being Moderated
    16. Pat Willener,
    Aug 29, 2012 7:50 PM   in reply to mytaxsite.co.uk
    Report

    mytaxsite.co.uk wrote:

     

    Perhaps the threat wasn't fase-positive according to this link:

     

    <http://blog.fireeye.com/research/2012/08/zero-day-season-is-not-over-y et.html>

    This is about the well-publicized vulnerability in Java 1.7; Jive does not use Java, to the best of my knowledge.  (Java is not related to JavaScript in any way.)

     
    |
    Mark as:
  • RickCP
    Currently Being Moderated
    17. RickCP,
    Sep 1, 2012 8:56 AM   in reply to bswanwick
    Report

    Security Alert for CVE-2012-4681 released August 30, 2012 by Oracle to address 3 distinct but related vulnerabilities (CVE-2012-4681, CVE-2012-1682 and CVE-2012-3136) and one security issue (CVE-2012-0547) affecting Java running in desktop browsers.

     

    These - high severity - vulnerabilities can be exploited to install malware, including Trojans, onto the targeted system. This malware may in some instances be detected by current antivirus signatures upon its installation.

     

    https://blogs.oracle.com/security/entry/security_alert_for_cve_20121

     
    |
    Mark as:
  • Noel Carboni
    21,020 posts
    Dec 23, 2006
    Currently Being Moderated
    18. Noel Carboni,
    Sep 1, 2012 10:37 AM   in reply to RickCP
    Report

    Thanks for the info, Rick, but...  What's the relationship you're seeing between these announcements and this thread?  I thought we'd written this off as a false positive.

     

    -Noel

     
    |
    Mark as:
  • RickCP
    Currently Being Moderated
    19. RickCP,
    Sep 3, 2012 3:18 PM   in reply to Noel Carboni
    Report

    I was just following @mytaxsite's post #9 above concerning there might've been something more than just a 'simple false positive' as concluded by Jive support.

     

    If it was so then why is it that the referenced page isn't available since then?

     

    While I think there might've been a redirecting attempt, it was probably 'to' and not 'from' that Adobe page, originated by a malicious javascript on bswanwick's FF browser?

     

    Anyway, without further information (if reported to Avast!) from @bswanwick there's nothing else to add but that I'm glad he is (and the forums) Ok.

    ______________________________________________________

     

    PD.- Security researchers' reports on the BlackHole Kit to exploit Java (and others) flaws - Did you read the latest?

    http://www.theregister.co.uk/2012/08/31/critical_flaw_found_in_patched _java/

     
    |
    Mark as:
  • Pat Willener
    Currently Being Moderated
    20. Pat Willener,
    Sep 3, 2012 7:09 PM   in reply to RickCP
    Report

    RickCP wrote:

     

    PD.- Security researchers' reports on the BlackHole Kit to exploit Java (and others) flaws - Did you read the latest?

    http://www.theregister.co.uk/2012/08/31/critical_flaw_found_in_patched _java/

    But how is this related to this topic, or this forum?

     
    |
    Mark as:
Actions

More Like This

  • Retrieving data ...

Bookmarked By (0)