[gwt-contrib] Avira and HTML/CryptedGen (again)
We started getting reports of the HTML/Crypted.Gen being detected in our Chrome extension again. I've managed to reproduce it - the signature seems to be the exact set of strings they use: .fromCharCode .charCodeAt nodeValue for 0,0,0,0,0,0 Math.min I kid you not - this is their signature for an encrypted JS virus. I can't seem to remove a single character from any of these tokens without turning it from a dangerous virus to a harmless bit of JS. Order doesn't seem to be important (although I haven't experimented with this that much). I think I'll be able to work around this by replacing any sequence of six zeros separated by commas with the sequence 0,0,0,[space]0,0,0. Matt. -- http://groups.google.com/group/Google-Web-Toolkit-Contributors
Re: [gwt-contrib] Avira and HTML/CryptedGen (again)
On Tue, Mar 16, 2010 at 2:07 PM, Matt Mastracci matt...@mastracci.comwrote: We started getting reports of the HTML/Crypted.Gen being detected in our Chrome extension again. I've managed to reproduce it - the signature seems to be the exact set of strings they use: .fromCharCode .charCodeAt nodeValue for 0,0,0,0,0,0 Math.min I kid you not - this is their signature for an encrypted JS virus. I can't seem to remove a single character from any of these tokens without turning it from a dangerous virus to a harmless bit of JS. Order doesn't seem to be important (although I haven't experimented with this that much). I think I'll be able to work around this by replacing any sequence of six zeros separated by commas with the sequence 0,0,0,[space]0,0,0. Holy cow -- how do they think that is an acceptable measure? Surely they could at least change the warning to say potentially dangerous JS or something rather than declaring it a virus. -- John A. Tamplin Software Engineer (GWT), Google -- http://groups.google.com/group/Google-Web-Toolkit-Contributors
Re: [gwt-contrib] Avira and HTML/CryptedGen (again)
I kid you not - this is their signature for an encrypted JS virus. I can't seem to remove a single character from any of these tokens without turning it from a dangerous virus to a harmless bit of JS. Order doesn't seem to be important (although I haven't experimented with this that much). I think I'll be able to work around this by replacing any sequence of six zeros separated by commas with the sequence 0,0,0,[space]0,0,0. Holy cow -- how do they think that is an acceptable measure? Surely they could at least change the warning to say potentially dangerous JS or something rather than declaring it a virus. This is pretty unbelievable to me as well. I imagine that the process involved someone finding a mutating JS virus, found six strings that it always contained, put them in and figured that it was safe after surfing around for a bit without any false positives. After experimenting a bit further, I discovered that nodeValue is actually matching case insensitively for eval (which makes a little more sense). This means that the signature is something like for eval .fromcharcode .charcodeat math.min 0,0,0,0,0,0 This probably will likely affect a significant number GWT applications that use RPC. Avira seems to check files ending in .js* and .html* for this pattern. I verified that the scanner intercepts these patterns in HTTP traffic and detects them in IE cache files. There might be some negative patterns as well: Avira doesn't block my message in the Google Groups web interface, but it does block it when viewing the raw message source. Matt. -- http://groups.google.com/group/Google-Web-Toolkit-Contributors