Closed Bug 1116819 Opened 11 years ago Closed 11 years ago

Avast is detecting and reporting Firefox as malware due to Tiles calls

Categories

(Content Services Graveyard :: Tiles, defect)

Product:
Content Services Graveyard
Component:
Tiles
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: gene, Unassigned)

Details

On December 30th Amazon contacted us reporting that they'd received an abuse report from a user that one of the production Cloud Services ec2 instances was serving malware. OpSec, Cloud Services and the Tiles dev team looked into this report and confirmed that the server in question was not and had not been serving malware or been compromised. Joe Stevensen reached out to the user requesting more details so we can better understand what lead him to think that our server was hosting malware. Today we Amazon contacted us again adding two more abuse reports that they had received and a list of instance IDs associated with the IPs that people were reporting on (you can see the raw content of those reports below in what I sent to Avast). Upon looking at the reports from users it appears that Avast ( avast.com ) is seeing Firefox initiating connections to the Tiles webheads in AWS and heuristically categorizing this as evidence of malware, and then reporting to the user that Firefox is malware. I've sent the following to Avast through their False Detection Reporting interface : http://www.avast.com/en-us/contact-us.php?subject=VIRUS-FILE Hi, I work in the Operations Security team here at Mozilla (makers of the Firefox browser). A new feature we released in Firefox in October in our Firefox 33.1 release ( https://www.mozilla.org/en-US/firefox/33.1/releasenotes/ ) appears to be triggering Avast malware alerts on people's systems for Firefox. We were alerted to this fact from Amazon Web Services which hosts our Tiles Server Side Infrastructure ( https://www.mozilla.org/en-US/firefox/tiles/ ). Here are the details of the Avast alert that various users are reporting to Amazon : 1. URL: https://54.186.138.97 Infection: URL:Mal Process: Firefox.exe Avast antivirus detected a URL:Mal infection. 2. My virus program, Avast, tells me that one of your IP addresses, 54.186.138.97 is a Mal site and needs to be blocked. You might want to take a look at the site and see if there is anything that should not be there. IP-LOOKUP reports its as ec2-54-186-13-97.us-west-2.compute.amazonaws.com. I assume its some sort of add tracking/serving site 3. I'm receiving malware from an IP located on your server: https://54.186.138.97:443/v2/links/view I'm assuming that these alerts that Avast is creating are due to heuristics seeing Firefox initiating connections to our Tiles backend server (in AWS). What can we do to either get whitelisted or prevent Avast from falsely categorizing Firefox as malware? Thanks, Gene Wood Cloud Security Engineer
Looks like 54.186.138.97 used to be Fyu0qmp.dj128kwy.com which was a suspicious site at one time. Avast is probably using an ip reputation that may be out of date. http://www.urlvoid.com/scan/fyu0qmp.dj128kwy.com/
Here's the virus total report for that url: https://www.virustotal.com/en/url/2474c314a679f8d5cf35c16063985600d4734e48341b40246d04226fb066f64d/analysis/ Not listed as suspicious, but voted down by a couple folks.
I've replied to AWS letting them know that the Tiles webheads are not hosting malware and that we're working with Avast. Here's what I sent : Hi EC2 Abuse team, Thank you for the new details today. This additional information gives us a better idea of what's going on. I can confirm that these reports are due to false-positives being reported to users by their Avast antivirus software. There is no malware being hosted on the ec2 instances you've called out, instead what's happening is that Avast is categorizing Firefox as malware because it's initiating connections to these ec2 instances. I've contact Avast to get this resolved and you can see details about this here : https://bugzilla.mozilla.org/show_bug.cgi?id=1116819 Please continue to send any abuse reports you get like this to us so we can pass the information along to Avast. Thanks, Gene Wood Cloud Security Engineer
Avast responded with : "Hello, this IP detection was already turned off yesterday. Can you try to update your VPS and try it again? Regards, Jan Sirmer" and I replied with : "Thanks for the reply Jim. I'm not sure I understand what you mean. When you say "this IP detection was already turned off yesterday" do you mean that the IP address of our backend servers were whitelisted yesterday? If so can you tell me the IPs that were whitelisted? As our service is hosted in Amazon's cloud the IP addresses associated with the service will change over time so I'm not sure if whitelisting the IPs will be a workable approach. When you say "Can you try to update your VPS and try it again?" what do you mean? I'm assuming by VPS you mean the Amazon ec2 instances that we use to run the Tiles service. What do you mean by "update" them? Feel free to give me a call (as it's probably easier/faster than email) : 415-xxx-xxxx"
Not having heard a reply I emailed avast again with my questions.
Avast has reported this morning that the cause of this was that the IP address of the tiles server in AWS was previously owned by someone distributing malware. Avast has since removed that IP from their blacklist and all should be good now. Avast writes : Hello Gene, Thank you for contacting AVAST Software s.r.o. with your concerns and sorry for the delayed response. Detection of 54.186.138.97 has been disabled. This IP was blocked because it hosted malicious content, and was acquired by Amazon only recently. Shortly after we spotted the change of owner, the IP was unblocked. 'VPS' stands for Avast Virus Definitions update. If you have any further questions, don't hesitate to contact me again. Best regards, Prokop Kalivoda Avast Technical Support Specialist
I've emailed AWS abuse and closed out the issue I wrote : Hi EC2 Abuse team, After working with Avast we determine the cause of the problem. They had blacklisted your (AWS) IP because the previous user of that IP had been serving malware from it. They've since removed that IP from their list and users should no longer be seeing their Avast installations reporting that our servers are serving malware. You can see Avast's response here : https://bugzilla.mozilla.org/show_bug.cgi?id=1116819#c6 You can close/resolve this issue now.
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.