Avira and HTML/CryptedGen (again)

35 views
Skip to first unread message

Matt Mastracci

unread,
Mar 16, 2010, 2:07:12 PM3/16/10
to Google-Web-Tool...@googlegroups.com
We started getting reports of the "HTML/Crypted.Gen" being detected in our Chrome extension again. I've managed to reproduce it - the signature seems to be the exact set of strings they use:

====
.fromCharCode
.charCodeAt
nodeValue
for
0,0,0,0,0,0
Math.min
====

I kid you not - this is their signature for an encrypted JS virus. I can't seem to remove a single character from any of these tokens without turning it from a dangerous virus to a harmless bit of JS. Order doesn't seem to be important (although I haven't experimented with this that much).

I think I'll be able to work around this by replacing any sequence of six zeros separated by commas with the sequence 0,0,0,[space]0,0,0.

Matt.

John Tamplin

unread,
Mar 16, 2010, 2:15:23 PM3/16/10
to google-web-tool...@googlegroups.com
Holy cow -- how do they think that is an acceptable measure?  Surely they could at least change the warning to say "potentially dangerous JS" or something rather than declaring it a virus.

--
John A. Tamplin
Software Engineer (GWT), Google

Matt Mastracci

unread,
Mar 16, 2010, 2:42:12 PM3/16/10
to google-web-tool...@googlegroups.com
I kid you not - this is their signature for an encrypted JS virus. I can't seem to remove a single character from any of these tokens without turning it from a dangerous virus to a harmless bit of JS.  Order doesn't seem to be important (although I haven't experimented with this that much).

I think I'll be able to work around this by replacing any sequence of six zeros separated by commas with the sequence 0,0,0,[space]0,0,0.

Holy cow -- how do they think that is an acceptable measure?  Surely they could at least change the warning to say "potentially dangerous JS" or something rather than declaring it a virus.

This is pretty unbelievable to me as well. I imagine that the process involved someone finding a mutating JS virus, found six strings that it always contained, put them in and figured that it was safe after surfing around for a bit without any false positives.

After experimenting a bit further, I discovered that "nodeValue" is actually matching case insensitively for "eval" (which makes a little more sense).  This means that the signature is something like "for eval .fromcharcode .charcodeat math.min 0,0,0,0,0,0"

This probably will likely affect a significant number GWT applications that use RPC. Avira seems to check files ending in .js* and .html* for this pattern.  I verified that the scanner intercepts these patterns in HTTP traffic and detects them in IE cache files.  There might be some negative patterns as well: Avira doesn't block my message in the Google Groups web interface, but it does block it when viewing the raw message source.

Matt.

Matt Mastracci

unread,
Mar 16, 2010, 3:08:04 PM3/16/10
to Google Web Toolkit Contributors
On Mar 16, 12:42 pm, Matt Mastracci <matt...@mastracci.com> wrote:

> > Holy cow -- how do they think that is an acceptable measure?  Surely they could at least change the warning to say "potentially dangerous JS" or something rather than declaring it a virus.

> This probably will likely affect a significant number GWT applications that use RPC. Avira seems to check files ending in .js* and .html* for this pattern.  I verified that the scanner intercepts these patterns in HTTP traffic and detects them in IE cache files.  There might be some negative patterns as well: Avira doesn't block my message in the Google Groups web interface, but it does block it when viewing the raw message source.

Even better: it turns out that if you put the string "google" anywhere
in the file matching CryptedGen, it no longer matches the heuristic. I
imagine that it would pick up the string from the class metadata for
those not using -XdisableClassMetadata.

So this is a virus:

"for eval .fromcharcode .charcodeat math.min 0,0,0,0,0,0"

And this is not:

"google for eval .fromcharcode .charcodeat math.min 0,0,0,0,0,0"

The easiest solution for us seems to be putting the string "Google Web
Toolkit" in a comment in our header.

Matt.

Joel Webber

unread,
Mar 17, 2010, 10:48:25 AM3/17/10
to google-web-tool...@googlegroups.com
This is Avira, isn't it? Ddi you ever hear anything back from them about this? It seems like it really ought to be fixed on their end, though I applaud your spelunking for a workaround :)


John Tamplin

unread,
Mar 17, 2010, 11:02:04 AM3/17/10
to google-web-tool...@googlegroups.com
On Wed, Mar 17, 2010 at 10:48 AM, Joel Webber <j...@google.com> wrote:
This is Avira, isn't it? Ddi you ever hear anything back from them about this? It seems like it really ought to be fixed on their end, though I applaud your spelunking for a workaround :)

Well, they will have to change it anyway -- Matt just revealed that a JS malware writer can avoid detection just by including "Google" in the JS file :).

If they are going to change it anyway, they might as well change it to something more reasonable.

If they don't, it seems likely their customers may stop using the product if it is triggered on more and more AJAX sites. 

Matt Mastracci

unread,
Mar 17, 2010, 1:22:20 PM3/17/10
to google-web-tool...@googlegroups.com
My previous attempt to submit our code as a false positive disappeared into a black hole. I did get back a note saying it was acknowledged as a false positive and our user reports disappeared for a while. Unfortunately, it looks like they just hacked around the issue - the reports showed up again a few days ago.

The original goal was to figure out what in the code was tickling the signature to see if it was RPC-related (which might look malicious to some). When I got the signature down to a handful of byte strings that matched string operations, I just ended up shaking my head.

I found a technical support number that I can try calling and seeing if I can get escalated. If that doesn't work, it might be easier to submit a minimal, harmless testcase from those keywords as a false positive. :)

Matt.

John Tamplin

unread,
Mar 17, 2010, 1:38:12 PM3/17/10
to google-web-tool...@googlegroups.com
On Wed, Mar 17, 2010 at 1:22 PM, Matt Mastracci <mat...@mastracci.com> wrote:
I found a technical support number that I can try calling and seeing if I can get escalated. If that doesn't work, it might be easier to submit a minimal, harmless testcase from those keywords as a false positive. :)

Given their approach, that seems likely to get that exact source added to a whitelist :).
 

Matt Mastracci

unread,
Mar 17, 2010, 3:10:32 PM3/17/10
to google-web-tool...@googlegroups.com

I found a technical support number that I can try calling and seeing if I can get escalated. If that doesn't work, it might be easier to submit a minimal, harmless testcase from those keywords as a false positive. :)

Given their approach, that seems likely to get that exact source added to a whitelist :).

That might not be far from the truth. :)

I called their tech support line and left a message to be passed on to their technical team, but the tech's solution was "you'll have to submit your code again every time it changes". He said he'd pass on the message, but wouldn't guarantee that anyone would contact me with anything more than "use the false positive form again".  Gah.

Matt.

John Tamplin

unread,
Mar 17, 2010, 3:15:44 PM3/17/10
to google-web-tool...@googlegroups.com
On Wed, Mar 17, 2010 at 3:10 PM, Matt Mastracci <mat...@mastracci.com> wrote:
I called their tech support line and left a message to be passed on to their technical team, but the tech's solution was "you'll have to submit your code again every time it changes". He said he'd pass on the message, but wouldn't guarantee that anyone would contact me with anything more than "use the false positive form again".  Gah.

Are you a customer or know someone who is?  If so, perhaps calling customer support with "I am going to stop using this because of bogus false positives" would get a better response.

Matt Mastracci

unread,
Mar 17, 2010, 3:37:15 PM3/17/10
to google-web-tool...@googlegroups.com, dflorey, Thomas Broyer, FaTompa
On 2010-03-17, at 1:15 PM, John Tamplin wrote:

> I called their tech support line and left a message to be passed on to their technical team, but the tech's solution was "you'll have to submit your code again every time it changes". He said he'd pass on the message, but wouldn't guarantee that anyone would contact me with anything more than "use the false positive form again". Gah.
>
> Are you a customer or know someone who is? If so, perhaps calling customer support with "I am going to stop using this because of bogus false positives" would get a better response.

Unfortunately not. I first heard about this company's anti-virus through some of our users (who are basically anonymous commenters on our Chrome extension page). I ran the heuristic tests against a trial version that I downloaded.

If anyone on this list is an Avira customer and wants to try contacting tech-support to help add some pressure, their USA toll-free number is: +1 888 880 2925.

cc'd dflorey, t.broyer and fatompa as three people who mentioned these false positives before and appear to be Avira customers (or know someone who is).

Matt.

Reply all
Reply to author
Forward
0 new messages