Faulty NOD32 virus signature triggers alarm when visiting web

A faulty virus signature (2365) has been causing confusion among users of anti-virus software NOD32 when visiting web pages. The anti-virus software springs into action when faced with a banner served by serving-sys.com, reporting the trojan Tivso.14a.gen in the eBannerMain_62_36.js script. In addition to Pc World, Yahoo and many other web pages, heise.de was also affected. The script, erroneously categorised by the scanner as dangerous, was embedded in some news items. Manual analysis failed to turn up any grounds for suspicion.

The software no longer triggers an alarm when the signature is updated to version 2366. ESET have explained that this false positive (and another subsequently detected by their labs - JS/Tivso.13a.gen) resulted from a combination of use by them of a generic signature and obfuscation techniques used by banner ad servers. Generic signatures are used by anti-virus vendors to cover malware that is presented in numerous trivially different obfuscated variants to try and escape the net: the signature concentrates on the common features of the set. Unfortunately some banner ad servers also obfuscate their scripts (possibly for proprietary reasons) and in this case the resulting code had sufficient properties in common with the ESET generic signature to trigger the alert. This is far from an unknown phenomenon, however ESET comment "This type of problem is only found on web pages where someone wishes to cause your browser to run code without you being aware of what they are doing, or able to easily find out what is happening." Makes one think twice about banner ads.

(mba)