It was a chicken in disguise.
How did this happen? There are several Trojans in the JS/Tivso family. The bad guys are constantly modifying the code to evade detection by anti-virus. In addition to constant minor changes, the bad guys obfuscate the script used to write the trojans. This means they scramble the code to try to make more difficult to detect the malicious software. In order to detect the new variations before they are even created, ESET uses a technology called generic signatures. Generic signatures compare files, or in this case scripts, to things we know are bad. It’s like when you see a duck, but do not know what type of duck it is. You know it’s a duck though because it looks so much like all of the other ducks you have seen.
Unfortunately, some advertisers decided to use techniques in their advertising banners that are extremely close to the same techniques the bad guys use. For whatever reason, the advertisers do not want you to know what programs they are running on your computer without your knowledge. This type of problem is only found on web pages where someone wishes to cause your browser to run code without you being aware of what they are doing, or able to easily find out what is happening. It sure looked like a duck, but it was a chicken. It didn’t even taste like chicken :)
ESET has received no reports of users who were dissatisfied because an advertisement that was trying to hide what it was doing was not allowed to run, however, the pop-up warning about the threat was a bit disconcerting.
ESET is committed to improving our ability to provide the best proactive protection against new threats. In the rare case that there is a false positive our researchers are there to quickly resolve the problem, even at midnight on a weekend.
Director of Technical Education
Author ESET Research, ESET