jparnold
11-13-2011, 08:30 PM
For the last few days whenever I receive an email from Flightsim to alert me that a reply has been made to my post and then I click on the link AVG prevents access and displays it as a Threat name Exploit Phoenix Explot Kit (type 2072).
I had reported this within the post I had received replies to and someone (a 'moderator'?) replied that there was nothing wrong with Flightsim.com and to report it to AVG.
I have reported it to AVG and received the following reponse (aparently at least one other user has reported the same problem) -
After reading the last paragraph I am QUITE CONCERNED -
It is NOT an FP and I have sent details of the problem to someone
apparently from flightsim.com who also reported this issue to us.
It may be true that there is nothing flightsim.com can do about it, but
if so that simply relates to the competence of the flightsim.com people
to run a secure website.
Whatever you do, do NOT disable the LinkScanner component of AVG. It
_IS_ protecting you from having your computer's security compromised.
Do NOT be fooled by the fact that subsequent visits to the affected
page do NOT result in detection warnings. The malware on the
flightsim.com server uses all kinds of tricks to make analysing it (for
people with jobs like mine) and finding and removing it (for people
like the admins of flightsim.com) more difficult, including only
serving the exploit script if you have certain HTTP Referer: headers in
your URL request and once-per-IP exploit serving. This means that the
script will not necessarily be included into an affected page on a
subsequent attempt to visit the page and that means that LinkScanner
will not alert on that page load as the script is not there for it to
detect! It seems that the flightsim.com folk may be having some
difficulty understanding this despite my describing it to them.
It also appears that few, if any, other security products are detecting
this particular variant of this malicious script yet, which may further
induce folk to think that we are FP'ing. We have seen quite high
detection rates, including several fairly high-profile sites the last
few days, and there is no media coverage of this driven by competitors'
blogs, press releases, etc, suggesting that they are not seeing those
detections because their product is not detecting this script.
I had reported this within the post I had received replies to and someone (a 'moderator'?) replied that there was nothing wrong with Flightsim.com and to report it to AVG.
I have reported it to AVG and received the following reponse (aparently at least one other user has reported the same problem) -
After reading the last paragraph I am QUITE CONCERNED -
It is NOT an FP and I have sent details of the problem to someone
apparently from flightsim.com who also reported this issue to us.
It may be true that there is nothing flightsim.com can do about it, but
if so that simply relates to the competence of the flightsim.com people
to run a secure website.
Whatever you do, do NOT disable the LinkScanner component of AVG. It
_IS_ protecting you from having your computer's security compromised.
Do NOT be fooled by the fact that subsequent visits to the affected
page do NOT result in detection warnings. The malware on the
flightsim.com server uses all kinds of tricks to make analysing it (for
people with jobs like mine) and finding and removing it (for people
like the admins of flightsim.com) more difficult, including only
serving the exploit script if you have certain HTTP Referer: headers in
your URL request and once-per-IP exploit serving. This means that the
script will not necessarily be included into an affected page on a
subsequent attempt to visit the page and that means that LinkScanner
will not alert on that page load as the script is not there for it to
detect! It seems that the flightsim.com folk may be having some
difficulty understanding this despite my describing it to them.
It also appears that few, if any, other security products are detecting
this particular variant of this malicious script yet, which may further
induce folk to think that we are FP'ing. We have seen quite high
detection rates, including several fairly high-profile sites the last
few days, and there is no media coverage of this driven by competitors'
blogs, press releases, etc, suggesting that they are not seeing those
detections because their product is not detecting this script.