It Looked Like a Duck. It Walked Like a Duck. It Quacked Like a Duck!

It was a chicken in disguise.

On July 1st at 12:41 AM CET ESET became aware of a false positive. Some advertising banners were incorrectly flagged as being infected with the JavaScript trojan JS/Tivso.14a.gen Trojan. By 2:00 AM CET update version 2366 went out, correcting the misdetection. Later ESET researchers discovered that the generic signature covering JS/Tivso.13a.gen also would generate a false positive and at 7:01 PM update version 2368 was deployed to eliminate all known remaining problems with misdetection of this broad family of threats.

How did this happen? There are several Trojans in the JS/Tivso family. The bad guys are constantly modifying the code to evade detection by anti-virus. In addition to constant minor changes, the bad guys obfuscate the script used to write the trojans.  This means they scramble the code to try to make more difficult to detect the malicious software. In order to detect the new variations before they are even created, ESET uses a technology called generic signatures. Generic signatures compare files, or in this case scripts, to things we know are bad. It’s like when you see a duck, but do not know what type of duck it is. You know it’s a duck though because it looks so much like all of the other ducks you have seen.

Unfortunately, some advertisers decided to use techniques in their advertising banners that are extremely close to the same techniques the bad guys use. For whatever reason, the advertisers do not want you to know what programs they are running on your computer without your knowledge. This type of problem is only found on web pages where someone wishes to cause your browser to run code without you being aware of what they are doing, or able to easily find out what is happening. It sure looked like a duck, but it was a chicken. It didn’t even taste like chicken :)

ESET has received no reports of users who were dissatisfied because an advertisement that was trying to hide what it was doing was not allowed to run, however, the pop-up warning about the threat was a bit disconcerting.

ESET is committed to improving our ability to provide the best proactive protection against new threats. In the rare case that there is a false positive our researchers are there to quickly resolve the problem, even at midnight on a weekend.

Randy Abrams

Director of Technical Education