Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: Problem with Microsoft Antivirus regarding malware from google website - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Problem with Microsoft Antivirus regarding malware from google website

In my company, we began experiencing a problem when the users tried to access http://www.google.com.co though our Forefront TMG proxy. Every corporate user saw the following message:

Forefront TMG blocking google

 

This really looked strange, specially coming from google. I captured some packets and queried about the http get operations and got the following:

Wireshark Capture

Got three operations: one from the main query, second one retrieving a javascript file and a third one unknown. First one looked normal as always, so I started analyzing second one. The MD5 for the javascript file is 886e4780fc0af43a19eb4dcd55b728d7. I looked up the resulting MD5 and got nothing. I uploaded the script to jsunpack and got nothing:

 

Jsunpack Analysis

Also tried VirusTotal to scan the URL (http://www.google.com.co) and also got nothing:

 Virustotal Check for google website

I started analysis for http get number three. Wireshark shows some compressed content, so I took it from the capture and decompressed:

 Wireshark capture from

The compressed file has md5 1375a0f59d52d862a1297df7566c6894, the uncompressed file has md5  c4c490a2a55a16492c068ec50827958b and when loaded starts a download from http://ssl.gstatic.com/gb/js/sem_480d0cc56e70fa5af3dda306c8bc7ce6.js. I analyzed that javascript and wepawet and jsunpack shows nothing abnormal.

This problem has been confirmed in Microsoft website. I will update the diary when I have more information about it.

UPDATE: As of 20:11 GMT-5 Feb 14 2012, we received confirmation from Microsoft stating that this problem is a false positive and will be corrected in the next update for the antivirus.

 Manuel Humberto Santander Peláez
SANS Internet Storm Center - Handler
Twitter: @manuelsantander
Web:http://manuel.santander.name
e-mail:msantand at isc dot sans dot org

Manuel Humberto Santander Pelaacuteez

185 Posts
ISC Handler
Getting a few alerts from ForeFront Endpoint Protection 2010 here in Australia when visiting www.google.com.au as well.
Anonymous
>> http://answers.microsoft.com/en-us/protect/forum/protect_scanning/removing-exploitjsblacolebw/c67c86e9-7f4e-43e8-beb5-eeafdfdab469
"... def. version 1.119.1988.0... Google is no longer detected as a virus. .."
Latest MSE definition updates
- https://www.microsoft.com/Security/portal/Definitions/HowToMSE.aspx
Latest antivirus definition version: 1.119.1998.0
Released: Feb 15, 2012 05:30 AM UTC
.
Jack

160 Posts
In Mexico, We had the same alert...
Anonymous

Sign Up for Free or Log In to start participating in the conversation!