Protecting over 200 million PCs, Macs, & Mobiles – more than any other antivirus

October 25th, 2013

Google flagged as suspicious website users that would like to access were unpleasantly surprised today. Google flagged the website as suspicious and users of the Google Chrome and Mozilla Firefox browsers saw a security warning when they tried to visit the website.


According to the Google diagnostic page, suspicious content was found on on October 23rd, 2013. Three domains were mentioned;,, and (owned by the same GoDaddy account) which were said to distribute malware to visitors of the site.


Was it a false positive like regular visitors of suggested in many online discussions?

After connecting to the domain  the browser loads a few css files and userprefs.js from


It turned out that the javascript userprefs.js had caused the problem. As you can see in the following log,, the size of the file has changed from 2602 bytes to 5821 bytes and then to 1279 during 25 hours. That is quite suspicious behavior.  The 2602 bytes version of the file was the original file with a search completion function, the 1279 bytes version is the updated file without the search completion function removed that appeared while the problem was solving. The 5821 bytes version of the file was the suspicious file that contains an obfuscated code:



After deobfuscating we get


The obfuscated code inserted an iframe with a link to The domain  is suspicious and blacklisted by Google Safe Browsing. The iframe was probably the reason why the was flagged as suspicious. As I mentioned above, the javascript userprefs.js has been replaced with the one without the obfuscated code and the website  has not been blacklisted anymore.

Related links:

Thank you for using avast! Antivirus and recommending us to your friends and family. For all the latest news, fun and contest information, please follow us on FacebookTwitter and Google+.

Comments are closed.