Threat Level: green Handler on Duty: Daniel Wesemann

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Problem with Microsoft Antivirus regarding malware from google website

Published: 2012-02-14
Last Updated: 2012-02-15 01:50:21 UTC
by Manuel Humberto Santander Pelaez (Version: 2)
3 comment(s)

In my company, we began experiencing a problem when the users tried to access http://www.google.com.co though our Forefront TMG proxy. Every corporate user saw the following message:

Forefront TMG blocking google

 

This really looked strange, specially coming from google. I captured some packets and queried about the http get operations and got the following:

Wireshark Capture

Got three operations: one from the main query, second one retrieving a javascript file and a third one unknown. First one looked normal as always, so I started analyzing second one. The MD5 for the javascript file is 886e4780fc0af43a19eb4dcd55b728d7. I looked up the resulting MD5 and got nothing. I uploaded the script to jsunpack and got nothing:

 

Jsunpack Analysis

Also tried VirusTotal to scan the URL (http://www.google.com.co) and also got nothing:

 Virustotal Check for google website

I started analysis for http get number three. Wireshark shows some compressed content, so I took it from the capture and decompressed:

 Wireshark capture from

The compressed file has md5 1375a0f59d52d862a1297df7566c6894, the uncompressed file has md5  c4c490a2a55a16492c068ec50827958b and when loaded starts a download from http://ssl.gstatic.com/gb/js/sem_480d0cc56e70fa5af3dda306c8bc7ce6.js. I analyzed that javascript and wepawet and jsunpack shows nothing abnormal.

This problem has been confirmed in Microsoft website. I will update the diary when I have more information about it.

UPDATE: As of 20:11 GMT-5 Feb 14 2012, we received confirmation from Microsoft stating that this problem is a false positive and will be corrected in the update 1.119.1986.0 or higher for the antivirus.

 Manuel Humberto Santander Peláez
SANS Internet Storm Center - Handler
Twitter: @manuelsantander
Web:http://manuel.santander.name
e-mail:msantand at isc dot sans dot org

Keywords:
3 comment(s)
Diary Archives