Troja! August 7, 2008 7:28 AM   Subscribe

Avast throws a Trojan Horse warning when I try to open yeoz's post here in MetaTalk.

I get the warning when I open this URL: http://metatalk.metafilter.com/16580/the-bad-bad-internets

Trojan[js] is about the only details Avast gives me.
posted by syzygy to Bugs at 7:28 AM (23 comments total)

It may be because the exploit source is included in the post content.
posted by ardgedee at 7:33 AM on August 7, 2008


...also, it includes (in plain text) the URL of the hostile site.
posted by ardgedee at 7:33 AM on August 7, 2008


Just munged the script itself and the nasty site's link. Let me know if it keeps setting off radar.
posted by cortex (staff) at 7:36 AM on August 7, 2008


Now Firefox complains that it doesn't know how to open the protocol - but at least Avast isn't complaining about any trojans any more.

Thanks cortex...
posted by syzygy at 7:49 AM on August 7, 2008


Was having the same problem, and aside from the FF protocol thingy, it's fine now. Thanks, syzygy and cortext.
posted by Alvy Ampersand at 7:51 AM on August 7, 2008


Instead of hxxp://58.65...etc., making the IP number invalid is probably a safer option, eg, http://558.65...etc.. It sounds like some malware detectors are triggering on blacklisted IPs regardless of the indicated protocol.
posted by ardgedee at 7:54 AM on August 7, 2008


I'm getting a redirect in IE... am I due a fun night cleaning up malware?
posted by Artw at 7:56 AM on August 7, 2008


Perhaps the post could be modified so that we don't have to read the source to actually see the exploit. It looks like

document.write('');

when it should look like

document.write('<iframe src=... >);

At least that seems to be why it's setting things off; the iframe is actually being called each time the page loads.
posted by vernondalhart at 8:01 AM on August 7, 2008


Can we just remove all the damn code until someone figures out a way to show it in a non active form?
posted by Artw at 8:04 AM on August 7, 2008


Done. Let me know if it's STILL doing stuff.
posted by cortex (staff) at 8:05 AM on August 7, 2008


It's fixed, although you could just escape all the html characters so that we can see the code anyhow; but this does fix the error.
posted by vernondalhart at 8:07 AM on August 7, 2008


Lookin' good - no warnings of any kind when I visit the post now.
posted by syzygy at 8:08 AM on August 7, 2008


vernondalhart: you can see the code in yeoz's flickr link.
posted by vacapinta at 8:11 AM on August 7, 2008


The code was always inactive, your idiot browsers were just trying to be way too clever.

OH THAT PLAINTEXT RESEMBLES A URL
WHY DON'T I PREFETCH IT FOR YOU
OMNOMNOMNOMNOMNOMNOMNOMNOMNOMNOM

posted by blasdelf at 8:30 AM on August 7, 2008 [13 favorites]


Metafilter: Idiot browsers just trying to be way too clever.
posted by weapons-grade pandemonium at 8:47 AM on August 7, 2008 [4 favorites]


> OH THAT PLAINTEXT RESEMBLES A URL WHY DON'T I PREFETCH IT FOR YOU

Highly unlikely for a malware detector to attempt preloading a hostile site. It's more likely doing simple string matches anywhere in the text and reacting when it sees something on its blacklist.

In full-on paranoia mode, that's not such a bad idea. It doesn't take much effort for a page to include scripting that wraps arbitrary chunks of text with anchor tags, making them clickable when the page is loaded and parsed.
posted by ardgedee at 8:50 AM on August 7, 2008 [1 favorite]


Highly unlikely for a malware detector to attempt preloading a hostile site.

AVG does this when you search google. Who knows that the other ones do. I think its hilarious that these apps are going to stuff you never click on.
posted by damn dirty ape at 9:09 AM on August 7, 2008


Artw writes "Can we just remove all the damn code until someone figures out a way to show it in a non active form?"

If only we had images.
posted by Mitheral at 9:10 AM on August 7, 2008 [1 favorite]


> AVG does this when you search google.

I stand corrected. That's kind of bogus.
posted by ardgedee at 10:20 AM on August 7, 2008


Instead of hxxp://58.65...etc., making the IP number invalid is probably a safer option, eg, http://558.65...etc.

That's helpful but not reliable. Many IP address parsers never even look at the high bits of the dotted notation address values.
posted by tkolar at 1:48 PM on August 7, 2008


Yeah, whenever I was trying to look at my Mefi RSS feeds in FeedDemon, Avira wouldn't let me.
posted by divabat at 2:21 PM on August 7, 2008


Oh. The site with the dangerous content. It's dangerous just to name it.

Why is the internet getting to be like Hastur all of a fricking sudden??
posted by Durn Bronzefist at 5:19 PM on August 7, 2008


Durn... Durn! That tentacle poking out of the gateway into non-Euclidian space behind you and choking you right now is a consensual kinky thing, right? Oh, you can't speak. Well can you make your eyes bulge out more for yes and blink for no? Alright then, carry on.
posted by BrotherCaine at 1:09 AM on August 8, 2008


« Older the bad bad internets   |   Following in someone's good footsteps ... Newer »

You are not logged in, either login or create an account to post comments