Troja!
August 7, 2008 7:28 AM   RSS feed for this thread Subscribe

Avast throws a Trojan Horse warning when I try to open yeoz's post here in MetaTalk.

I get the warning when I open this URL: http://metatalk.metafilter.com/16580/the-bad-bad-internets

Trojan[js] is about the only details Avast gives me.
posted by syzygy to bugs at 7:28 AM (23 comments total)

Advertise here: Contact FM.


It may be because the exploit source is included in the post content.
posted by ardgedee at 7:33 AM on August 7


...also, it includes (in plain text) the URL of the hostile site.
posted by ardgedee at 7:33 AM on August 7


Just munged the script itself and the nasty site's link. Let me know if it keeps setting off radar.
posted by cortex at 7:36 AM on August 7


Now Firefox complains that it doesn't know how to open the protocol - but at least Avast isn't complaining about any trojans any more.

Thanks cortex...
posted by syzygy at 7:49 AM on August 7


Was having the same problem, and aside from the FF protocol thingy, it's fine now. Thanks, syzygy and cortext.
posted by Alvy Ampersand at 7:51 AM on August 7


Instead of hxxp://58.65...etc., making the IP number invalid is probably a safer option, eg, http://558.65...etc.. It sounds like some malware detectors are triggering on blacklisted IPs regardless of the indicated protocol.
posted by ardgedee at 7:54 AM on August 7


I'm getting a redirect in IE... am I due a fun night cleaning up malware?
posted by Artw at 7:56 AM on August 7


Perhaps the post could be modified so that we don't have to read the source to actually see the exploit. It looks like

document.write('');

when it should look like

document.write('<iframe src=... >);

At least that seems to be why it's setting things off; the iframe is actually being called each time the page loads.
posted by vernondalhart at 8:01 AM on August 7


Can we just remove all the damn code until someone figures out a way to show it in a non active form?
posted by Artw at 8:04 AM on August 7


Done. Let me know if it's STILL doing stuff.
posted by cortex at 8:05 AM on August 7


It's fixed, although you could just escape all the html characters so that we can see the code anyhow; but this does fix the error.
posted by vernondalhart at 8:07 AM on August 7


Lookin' good - no warnings of any kind when I visit the post now.
posted by syzygy at 8:08 AM on August 7


vernondalhart: you can see the code in yeoz's flickr link.
posted by vacapinta at 8:11 AM on August 7


The code was always inactive, your idiot browsers were just trying to be way too clever.

OH THAT PLAINTEXT RESEMBLES A URL
WHY DON'T I PREFETCH IT FOR YOU
OMNOMNOMNOMNOMNOMNOMNOMNOMNOMNOM
posted by blasdelf at 8:30 AM on August 7 [14 favorites]


Metafilter: Idiot browsers just trying to be way too clever.
posted by weapons-grade pandemonium at 8:47 AM on August 7 [4 favorites]


> OH THAT PLAINTEXT RESEMBLES A URL WHY DON'T I PREFETCH IT FOR YOU

Highly unlikely for a malware detector to attempt preloading a hostile site. It's more likely doing simple string matches anywhere in the text and reacting when it sees something on its blacklist.

In full-on paranoia mode, that's not such a bad idea. It doesn't take much effort for a page to include scripting that wraps arbitrary chunks of text with anchor tags, making them clickable when the page is loaded and parsed.
posted by ardgedee at 8:50 AM on August 7 [1 favorite]


Highly unlikely for a malware detector to attempt preloading a hostile site.

AVG does this when you search google. Who knows that the other ones do. I think its hilarious that these apps are going to stuff you never click on.
posted by damn dirty ape at 9:09 AM on August 7


Artw writes "Can we just remove all the damn code until someone figures out a way to show it in a non active form?"

If only we had images.
posted by Mitheral at 9:10 AM on August 7 [1 favorite]


> AVG does this when you search google.

I stand corrected. That's kind of bogus.
posted by ardgedee at 10:20 AM on August 7


Instead of hxxp://58.65...etc., making the IP number invalid is probably a safer option, eg, http://558.65...etc.

That's helpful but not reliable. Many IP address parsers never even look at the high bits of the dotted notation address values.
posted by tkolar at 1:48 PM on August 7


Yeah, whenever I was trying to look at my Mefi RSS feeds in FeedDemon, Avira wouldn't let me.
posted by divabat at 2:21 PM on August 7


Oh. The site with the dangerous content. It's dangerous just to name it.

Why is the internet getting to be like Hastur all of a fricking sudden??
posted by Durn Bronzefist at 5:19 PM on August 7


Durn... Durn! That tentacle poking out of the gateway into non-Euclidian space behind you and choking you right now is a consensual kinky thing, right? Oh, you can't speak. Well can you make your eyes bulge out more for yes and blink for no? Alright then, carry on.
posted by BrotherCaine at 1:09 AM on August 8


« Older so, about this post --> http:/...   |   Apology (too).... Newer »

You are not logged in, either login or create an account to post comments