Locked

Attempted Trojan was downloaded from forums.adobe.com

New Here ,
Aug 28, 2012 Aug 28, 2012

Copy link to clipboard

Copied

While viewing a thread in the Adobe forums my Avast! Antivirus blocked a script running in Firefox. It attempted to download a trojan to my PC.

The source of the script was: http://forums.adobe.com/4.5.6/resources/scripts/gen/220b1b06a29F901e1d24252ac800883e.js.

The infection was: JS:Blacole-AV [Trj]

screenshot.png

EDIT: It is happening more frequently now from various links. Like: http://forums.adobe.com/community/coldfusion

Message was edited by: bswanwick

Views

3.6K

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Adobe Employee ,
Aug 28, 2012 Aug 28, 2012

Copy link to clipboard

Copied

Thank you for the information. We are invesitigating it now.

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Adobe Employee ,
Aug 28, 2012 Aug 28, 2012

Copy link to clipboard

Copied

Is anyone else seeing this? We have a case opened with Jive to investigate it.

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
LEGEND ,
Aug 28, 2012 Aug 28, 2012

Copy link to clipboard

Copied

Have not encountered such, over about 1/2 dozen Adobe Forums - so far.

Hunt

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
LEGEND ,
Aug 28, 2012 Aug 28, 2012

Copy link to clipboard

Copied

No, I'm fully protected by the same AV bswanwick is, and I'm not seeing any malware.

Edit:  I just verified (via IE9's F12 Developer Tools) that I am indeed loading:

/4.5.6/resources/scripts/gen/220b1b06a29f901e1d24252ac800883e.js

Whether we all get the data from the same servers is not certain.

-Noel

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Adobe Employee ,
Aug 28, 2012 Aug 28, 2012

Copy link to clipboard

Copied

Almost positive this is a false-positive from Avast. Jive support is bringing in their engineering and hosting people for more investigation.

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Adobe Employee ,
Aug 28, 2012 Aug 28, 2012

Copy link to clipboard

Copied

Not able to duplicate this with the latest update from Avast. Can you provide me with the current virus definition you have and the current program version?

Thanks!

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Adobe Employee ,
Aug 28, 2012 Aug 28, 2012

Copy link to clipboard

Copied

From Jive support:

We have concluded that this was an issue with the virus definitions of Avast (#120828-1). If you update to the newest virus definitions (currently #120828-2), you should not receive the warning anymore as it has fixed the problem. This was a simple false positive, so there is no need to worry about infected computers due to this.

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
LEGEND ,
Aug 28, 2012 Aug 28, 2012

Copy link to clipboard

Copied

John,

We have concluded that this was an issue with the virus definitions of Avast (#120828-1). If you update to the newest virus definitions (currently #120828-2), you should not receive the warning anymore as it has fixed the problem.

Good to know, and thank you for reporting.

Appreciated,

Hunt

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
LEGEND ,
Aug 28, 2012 Aug 28, 2012

Copy link to clipboard

Copied

Perhaps the threat wasn't fase-positive according to this link:

<http://blog.fireeye.com/research/2012/08/zero-day-season-is-not-over-yet.html>

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Mentor ,
Aug 28, 2012 Aug 28, 2012

Copy link to clipboard

Copied

Why is it some one finds a bug/exploit and rather than notfying the Software Manufacturers on the QT, instead publishes it all for to see including the bad guys. Guaranteeing that the exploit will be used.

I'm sure there are people heare smart enough to use it and might even consider it. And someone has provided a link on howto create it.

I'm not smart enough, just looking as the code given makes me zone out and gives hradache looking at it.

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
LEGEND ,
Aug 28, 2012 Aug 28, 2012

Copy link to clipboard

Copied

Nothing to do with me.  I was simply saying that bswanwick didn't have "false-positive" as suggested above because this was announced all over the place on the web.  Yes avast is not a good anti-virus but it is dangerous to discount everything as false-positive when Jive might be under attach from outside NOT from USERs here.

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
LEGEND ,
Aug 28, 2012 Aug 28, 2012

Copy link to clipboard

Copied

What makes you think Avast! is not good?

-Noel

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Mentor ,
Aug 29, 2012 Aug 29, 2012

Copy link to clipboard

Copied

I wasn't referring to you. I was referring to the person who created the link to start with.

And BTW: In my post I made it sound like the forum visitors would use the code. I'm sure the folks here are honorable enough not to use it. I know I wouldn't even if I could make sense of the code.

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
LEGEND ,
Aug 29, 2012 Aug 29, 2012

Copy link to clipboard

Copied

mytaxsite.co.uk wrote:

Perhaps the threat wasn't fase-positive according to this link:

<http://blog.fireeye.com/research/2012/08/zero-day-season-is-not-over-y et.html>

This is about the well-publicized vulnerability in Java 1.7; Jive does not use Java, to the best of my knowledge.  (Java is not related to JavaScript in any way.)

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
New Here ,
Aug 29, 2012 Aug 29, 2012

Copy link to clipboard

Copied

As of this morning I am on virus definition 120829-0 and can confirm that I am no longer receiving any messages from Avast! while browsing the Adobe forums.

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
LEGEND ,
Aug 29, 2012 Aug 29, 2012

Copy link to clipboard

Copied

Thank you for reporting the definitions version and the state of things now.

Good luck,

Hunt

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Explorer ,
Sep 01, 2012 Sep 01, 2012

Copy link to clipboard

Copied

Security Alert for CVE-2012-4681 released August 30, 2012 by Oracle to address 3 distinct but related vulnerabilities (CVE-2012-4681, CVE-2012-1682 and CVE-2012-3136) and one security issue (CVE-2012-0547) affecting Java running in desktop browsers.

These - high severity - vulnerabilities can be exploited to install malware, including Trojans, onto the targeted system. This malware may in some instances be detected by current antivirus signatures upon its installation.

https://blogs.oracle.com/security/entry/security_alert_for_cve_20121

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
LEGEND ,
Sep 01, 2012 Sep 01, 2012

Copy link to clipboard

Copied

Thanks for the info, Rick, but...  What's the relationship you're seeing between these announcements and this thread?  I thought we'd written this off as a false positive.

-Noel

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Explorer ,
Sep 03, 2012 Sep 03, 2012

Copy link to clipboard

Copied

I was just following @mytaxsite's post #9 above concerning there might've been something more than just a 'simple false positive' as concluded by Jive support.

If it was so then why is it that the referenced page isn't available since then?

While I think there might've been a redirecting attempt, it was probably 'to' and not 'from' that Adobe page, originated by a malicious javascript on bswanwick's FF browser?

Anyway, without further information (if reported to Avast!) from @bswanwick there's nothing else to add but that I'm glad he is (and the forums) Ok.

______________________________________________________

PD.- Security researchers' reports on the BlackHole Kit to exploit Java (and others) flaws - Did you read the latest?

http://www.theregister.co.uk/2012/08/31/critical_flaw_found_in_patched_java/

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
LEGEND ,
Sep 03, 2012 Sep 03, 2012

Copy link to clipboard

Copied

LATEST

RickCP wrote:

PD.- Security researchers' reports on the BlackHole Kit to exploit Java (and others) flaws - Did you read the latest?

http://www.theregister.co.uk/2012/08/31/critical_flaw_found_in_patched _java/

But how is this related to this topic, or this forum?

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines