Lavasoft Site Question/Issue
Page 1 of 2 12 LastLast
Results 1 to 10 of 11

Thread: Lavasoft Site Question/Issue

  1. #1
    Some Assembly Required ShagDevil's Avatar
    Join Date
    Nov 2002
    Location
    New Jersey
    Posts
    718

    Lavasoft Site Question/Issue

    Hey guys,
    I was just updating my Ad Aware and wanted to see what's up with the newest version. I went to their site and Kaspersky got its panties in a wad. Under the Security tab on their site, I kept getting a warning about Trojan-Downloader.Java.Agent.c. The file/script is apparently being loaded from http://ssl-hints.netflame.cc/Fc/FcPred.class. (Don't click this link unless you've got a protected system, as this link leads directly to this Trojan!)
    The other thing I noticed is that it only happens in IE7, not Firefox. The only odd thing that Firefox caught was an undefined javascript trying to run (the NoScript plug-in found it).
    You guys seeing this at all? Just in case I scanned my system which is fine. Let me know if you guys run into this.
    Last edited by ShagDevil; May 19th, 2007 at 07:09 PM.
    The object of war is not to die for your country but to make the other bastard die for his - George Patton

  2. #2
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,190
    There isn't a good description at the moment. FcPred seems to be the downloader, but it loads at least one other file. I got one called pkcpibhj.class and I think that it replaced another file it loaded previously. Looks like it generates the names at random?

    I ran both files through VirusTotal and they were recognised by:

    Antivir
    Ewido
    F-Secure
    Kaspersky
    Webwasher-Gateway


  3. #3
    Dissident 4dm1n brokencrow's Avatar
    Join Date
    Feb 2004
    Location
    Shawnee country
    Posts
    1,243
    It sounds odd at first blush. First of all, who is netflame.cc? Took a little digging around, but the domain's registered thru Network Solutions (no wonder I had to dig) to an outfit in Minnesota:

    http://www.networksolutions.com/whoi...in=netflame.cc

    Oddly enough, trying to load http://www.netflame.cc or https://www.netflame.cc in a webbrowser yielded no results, giving me a standard "server not found" page in Firefox. Pinging netflame.cc gives me an ip address of 64.210.184.134, which belongs to a webhosting outfit called Savvis (www.savvis.net) out of North Carolina.

    Here it gets strange again; loading http://ssl-hints.netflame.cc did indeed yield an Apache "HTTP Status 404" page, which means it did indeed connect to a server. But the ip address I pulled for the http://ssl-hints.netflame.cc is 168.215.74.5 which belongs to Time-Warner in Colorado. Not your typical webhosting outfit.

    If I may be so bold as to venture a couple of guesses here...

    1) The trojan downloader is indeed a java script for updating Ad-Aware and that Kaspersky is picking it up as a false positive. This routinely occurs to me when using Panda's online scan and the scripts/files it installs on a PC.

    2) Lavasoft has contracted Digital River (see whois) to provide mirroring services for their downloading needs. IT these days is all about contracted services.

    3) If it is indeed a true trojan-downloader and the site's been hijacked, one would be wise to steer clear of this update, and perhaps try download.com or another more mainstream site for Lavasoft's updates.

    You might contact Lavasoft's admin at main@lavasoft.de and put the question to them...
    “Everybody is ignorant, only on different subjects.” — Will Rogers

  4. #4
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,190
    I agree, brokencrow, it seems very odd.

    1. I ran it through VirusTotal, and five scanners said it was EXACTLY the same trojan installer (OK slight naming convention differences). And it isn't as if they were all Kasperky clones?

    2. I consider Lavasoft to be a very reputable organisation and would trust them, at least thus far?

    3. Digital River have also been reputable to date, I even bought the PC-Cillin internet security #14 that is on this machine from them! They are World Wide with proper branch offices and all....... London, Dublin etc.

    All I would have thought you would want on a site like that would be a hit counter and country of origin. OK, as Lavasoft are apps developers I could understand them being interested in the OS and browser perhaps?

    Even session cookies would be understandable; but this seems to be rather more?

    I guess we sall have to "let the case develop"?

  5. #5
    Dissident 4dm1n brokencrow's Avatar
    Join Date
    Feb 2004
    Location
    Shawnee country
    Posts
    1,243
    Is there another site to download the same updated Ad-Aware? Is it the full app itself lighting up the AV? Or just an update? My experience with Ad-Aware SE v1.06 was the update itself was simply a definitions (.def) file. There is a good chance, given ShagDevil's resulting scan, this is a false positive.

    I've been running across articles about websites being surreptitiously hijacked to set up spyware installs. My impression from the readings were this was occurring largely at sites like MySpace and YouTube; public sites with accounts protected by passwords like "password", that kind of thing. But having done some web design and mastering, I've seen sites that owners protected with words easily susceptible to dictionary attacks. Logins like "byrd". And it has me wondering how many "spyware farms" are getting set up on perfectly legit sites.

    I've got a user at work who was badly infected with spyware and which I simply couldn't remove fast enough, so I reimaged his desktop. I lightly chided the guy about the sites he's going to before I realized he's a pretty straight up Baptist. We were trading internet war stories (he's got 2 sons) and I realized he's not particularly given to surfing rogue sites (porn, gambling, etc.). And about the same time I started running across these articles about hijacked websites.

    Fwiw, I've gone ahead and emailed Lavasoft's admin. Careful gang, it's a jungle out there....
    “Everybody is ignorant, only on different subjects.” — Will Rogers

  6. #6
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,190
    Hmmm, even stranger.................... I just submitted the netflame link to this lot:

    http://linkscanner.explabs.com/linkscanner/

    They then scan the site for malicious code/acivity....................it came up with nada?

  7. #7
    Some Assembly Required ShagDevil's Avatar
    Join Date
    Nov 2002
    Location
    New Jersey
    Posts
    718
    Nihil, Brokencrow
    I appreciate you guys looking into this for me. Well, not for me but for everyone's sake
    It wasn't the actual update itself that was causing the Trojan alert. It was Kaspersky's web browser scanning that picked it up. Basically what I did was update my Ad-Aware, then in the Performing WebUpdate dialog box, I clicked this link--> Read More...on the news section that stated Ad-Aware 7 was coming out in June.
    That's what generated the Trojan alert. I thought maybe it was my Ad-Aware but I generate this same error just by going to Lavasoft's site through standard browsing. I'm wondering myself if this is a false positive and Kaspersky is just being anal. I visited the site again today and got the same alerts. I'll keep my eyes open as well. Also, thanks for emailing Lavasoft Brokencrow. Let's see what they have to say.
    The object of war is not to die for your country but to make the other bastard die for his - George Patton

  8. #8
    Some Assembly Required ShagDevil's Avatar
    Join Date
    Nov 2002
    Location
    New Jersey
    Posts
    718
    I've been doing a lot of reading on this netflame.cc stuff. I actually googled it and came up with a surprisingly large amount of articles. This reply came out of one of those forums:
    This is just an anonymous ping to fireclick (a simple counter system owned by Digital River indeed) that we use to count how many time our plugin is used everyday.
    It's not spying on anything as nothing is recorded at all. It's just a number being incremented. We will actually remove this ping in the future. For now it helps us see how this product is adopted and prioritize our next efforts
    From what I've read so far, it's not some kind of malicious Trojan. I shall read on
    The object of war is not to die for your country but to make the other bastard die for his - George Patton

  9. #9
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,190
    Hey ShagDevil,

    I know you are as cynical as me.........................?

    So I surf to some site out of curiosity and it just loads some software (without my permission) so that it can get MY SYSTEM to ping it everytime I use a plugin for software I may not even have installed?

    That sir, is the classical definition of spyware............... no "ands", "ifs" or "buts" ?????????????????????

    I am afraid that it seems as if AdAware are becoming "unaware" and Digital River are going down the "Swannee"

    Well guys, Digital River are American, so it is up to you.............." we come in peace......."

  10. #10
    Dissident 4dm1n brokencrow's Avatar
    Join Date
    Feb 2004
    Location
    Shawnee country
    Posts
    1,243
    Ad-Aware is actually a Swedish outfit, isn't it? And who knows what kind
    of contractual arrangements they have with Digital River. Perhaps it's
    one of those "American contracts". You know, the ones that run into
    hundreds, perhaps even thousands of pages.

    Nihil, just a word of advice: stay off the road to Lexington and Concord. Especially if you're wearing a red coat.
    “Everybody is ignorant, only on different subjects.” — Will Rogers

Similar Threads

  1. Firefox marketing site hacked
    By intmon in forum Security News
    Replies: 1
    Last Post: July 15th, 2005, 07:52 PM
  2. Is This Really A security Site
    By SwordFish_13 in forum AntiOnline's General Chit Chat
    Replies: 19
    Last Post: April 5th, 2004, 05:40 AM
  3. VeriSign sues ICANN to restore Site Finder
    By SDK in forum AntiOnline's General Chit Chat
    Replies: 0
    Last Post: February 27th, 2004, 03:56 PM
  4. Al-Jazeera Web Site Faces Continued Hacker Attacks
    By DigitalSyntax in forum Web Security
    Replies: 0
    Last Post: March 27th, 2003, 08:25 PM
  5. USA Today: Hackers vandalized our site
    By NetSyn in forum AntiOnline's General Chit Chat
    Replies: 2
    Last Post: July 13th, 2002, 09:40 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •