Lavasoft Site Question/Issue

[ShagDevil]

Hey guys,
I was just updating my Ad Aware and wanted to see what's up with the newest version. I went to their site and Kaspersky got its panties in a wad. Under the Security tab on their site, I kept getting a warning about Trojan-Downloader.Java.Agent.c. The file/script is apparently being loaded from http://ssl-hints.netflame.cc/Fc/FcPred.class. (Don't click this link unless you've got a protected system, as this link leads directly to this Trojan!)
The other thing I noticed is that it only happens in IE7, not Firefox. The only odd thing that Firefox caught was an undefined javascript trying to run (the NoScript plug-in found it).
You guys seeing this at all? Just in case I scanned my system which is fine. Let me know if you guys run into this.

[nihil]

There isn't a good description at the moment. FcPred seems to be the downloader, but it loads at least one other file. I got one called pkcpibhj.class and I think that it replaced another file it loaded previously. Looks like it generates the names at random?

I ran both files through VirusTotal and they were recognised by:

Antivir
Ewido
F-Secure
Kaspersky
Webwasher-Gateway

[brokencrow]

It sounds odd at first blush. First of all, who is netflame.cc? Took a little digging around, but the domain's registered thru Network Solutions (no wonder I had to dig) to an outfit in Minnesota:

http://www.networksolutions.com/whoi...in=netflame.cc

Oddly enough, trying to load http://www.netflame.cc or https://www.netflame.cc in a webbrowser yielded no results, giving me a standard "server not found" page in Firefox. Pinging netflame.cc gives me an ip address of 64.210.184.134, which belongs to a webhosting outfit called Savvis (www.savvis.net) out of North Carolina.

Here it gets strange again; loading http://ssl-hints.netflame.cc did indeed yield an Apache "HTTP Status 404" page, which means it did indeed connect to a server. But the ip address I pulled for the http://ssl-hints.netflame.cc is 168.215.74.5 which belongs to Time-Warner in Colorado. Not your typical webhosting outfit.

If I may be so bold as to venture a couple of guesses here...

1) The trojan downloader is indeed a java script for updating Ad-Aware and that Kaspersky is picking it up as a false positive. This routinely occurs to me when using Panda's online scan and the scripts/files it installs on a PC.

2) Lavasoft has contracted Digital River (see whois) to provide mirroring services for their downloading needs. IT these days is all about contracted services.

3) If it is indeed a true trojan-downloader and the site's been hijacked, one would be wise to steer clear of this update, and perhaps try download.com or another more mainstream site for Lavasoft's updates.

You might contact Lavasoft's admin at main@lavasoft.de and put the question to them...

[nihil]

I agree, brokencrow, it seems very odd.

1. I ran it through VirusTotal, and five scanners said it was EXACTLY the same trojan installer (OK slight naming convention differences). And it isn't as if they were all Kasperky clones?

2. I consider Lavasoft to be a very reputable organisation and would trust them, at least thus far?

3. Digital River have also been reputable to date, I even bought the PC-Cillin internet security #14 that is on this machine from them! They are World Wide with proper branch offices and all....... London, Dublin etc.

All I would have thought you would want on a site like that would be a hit counter and country of origin. OK, as Lavasoft are apps developers I could understand them being interested in the OS and browser perhaps?

Even session cookies would be understandable; but this seems to be rather more?

I guess we sall have to "let the case develop"?

[brokencrow]

Is there another site to download the same updated Ad-Aware? Is it the full app itself lighting up the AV? Or just an update? My experience with Ad-Aware SE v1.06 was the update itself was simply a definitions (.def) file. There is a good chance, given ShagDevil's resulting scan, this is a false positive.

I've been running across articles about websites being surreptitiously hijacked to set up spyware installs. My impression from the readings were this was occurring largely at sites like MySpace and YouTube; public sites with accounts protected by passwords like "password", that kind of thing. But having done some web design and mastering, I've seen sites that owners protected with words easily susceptible to dictionary attacks. Logins like "byrd". And it has me wondering how many "spyware farms" are getting set up on perfectly legit sites.

I've got a user at work who was badly infected with spyware and which I simply couldn't remove fast enough, so I reimaged his desktop. I lightly chided the guy about the sites he's going to before I realized he's a pretty straight up Baptist. We were trading internet war stories (he's got 2 sons) and I realized he's not particularly given to surfing rogue sites (porn, gambling, etc.). And about the same time I started running across these articles about hijacked websites.

Fwiw, I've gone ahead and emailed Lavasoft's admin. Careful gang, it's a jungle out there....

[nihil]

Hmmm, even stranger.................... I just submitted the netflame link to this lot:

http://linkscanner.explabs.com/linkscanner/

They then scan the site for malicious code/acivity....................it came up with nada?

[ShagDevil]

Nihil, Brokencrow
I appreciate you guys looking into this for me. Well, not for me but for everyone's sake
It wasn't the actual update itself that was causing the Trojan alert. It was Kaspersky's web browser scanning that picked it up. Basically what I did was update my Ad-Aware, then in the Performing WebUpdate dialog box, I clicked this link--> Read More...on the news section that stated Ad-Aware 7 was coming out in June.
That's what generated the Trojan alert. I thought maybe it was my Ad-Aware but I generate this same error just by going to Lavasoft's site through standard browsing. I'm wondering myself if this is a false positive and Kaspersky is just being anal. I visited the site again today and got the same alerts. I'll keep my eyes open as well. Also, thanks for emailing Lavasoft Brokencrow. Let's see what they have to say.

[ShagDevil]

I've been doing a lot of reading on this netflame.cc stuff. I actually googled it and came up with a surprisingly large amount of articles. This reply came out of one of those forums:

This is just an anonymous ping to fireclick (a simple counter system owned by Digital River indeed) that we use to count how many time our plugin is used everyday.
It's not spying on anything as nothing is recorded at all. It's just a number being incremented. We will actually remove this ping in the future. For now it helps us see how this product is adopted and prioritize our next efforts

From what I've read so far, it's not some kind of malicious Trojan. I shall read on

[nihil]

Hey ShagDevil,

I know you are as cynical as me.........................?

So I surf to some site out of curiosity and it just loads some software (without my permission) so that it can get MY SYSTEM to ping it everytime I use a plugin for software I may not even have installed?

That sir, is the classical definition of spyware............... no "ands", "ifs" or "buts" ?????????????????????

I am afraid that it seems as if AdAware are becoming "unaware" and Digital River are going down the "Swannee"

Well guys, Digital River are American, so it is up to you.............." we come in peace......."

[brokencrow]

Ad-Aware is actually a Swedish outfit, isn't it? And who knows what kind
of contractual arrangements they have with Digital River. Perhaps it's
one of those "American contracts". You know, the ones that run into
hundreds, perhaps even thousands of pages.

Nihil, just a word of advice: stay off the road to Lexington and Concord. Especially if you're wearing a red coat.