Blacklisted and without content?

[polonus]

See: http://killmalware.com/requiredfix.com/  &  http://urlquery.net/report.php?id=1417886281004
IDS alerts for other domains on IP: http://urlquery.net/report.php?id=1417539241245
System Details:
Running on: nginx/1.2.1
Powered by: PHP/5.4.4-14+deb7u14
Outdated Web Server Nginx Found: nginx/1.2.1
See blacklist info - Google Safebrowsing blocks phishing: http://www.isithacked.com/check/http%3A%2F%2Frequiredfix.com%2Fhome.php
What is out on IP: http://www.robtex.net/en/advisory/ip/198/7/56/114/ -> Hosts found sending virus mails; Hosts found sending phishing mails; Hosts found sending mail contaning spam images; Hosts are added by our bots as users connect with hacked boxes and open proxies;
Illegal 3rd party exploits, including proxies, worms and trojan exploits 
What is out on the AS: http://support.clean-mx.de/clean-mx/viruses.php?as=AS30633&response= (all dead)

Now the source code 

Code: [Select]

<!DOCTYPE html>
<html lang="en">

<head>
    <meta charset="utf-8">
    <title>Update - Free Software Downloads</title>
</head>
<body>
Sorry, something went wrong!
</body>
</html>
See: http://www.site-scan.com/eng/show_headers.php?REQUEST=GET&URL=http://requiredfix.com/home.php&MODIFIED=0
HEAD /home.php&MODIFIED=0 HTTP/1.0
Accept: */*
User-Agent: WebBug/5.0 -> HTTP/1.1 404 Not Found
else
HTTP/1.1 200 OK
Server: nginx/1.2.1
Date: Sat, 06 Dec 2014 17:30:32 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.4.4-14+deb7u14
Set-Cookie: isp=Wanadoo+Nederland+BV; expires=Sun, 07-Dec-2014 17:30:32 GMT; path=/
Set-Cookie: country=NL; expires=Sun, 07-Dec-2014 17:30:32 GMT; path=/

pol

[Michael (alan1998)]

The IDS alert on the other domains on that IP are blocked by Google Safw Browsing.

Upon entering the site. It downloads a 10.7Megabyte file (Fake Flash Player)

https://www.virustotal.com/en/file/c1af6fe1a6d3dc4aec8e569ebd940beaaf8e7812e24a514a40b4fae93451faf6/analysis/1417888774/

It is interesting to see nothing detects it? Submitted to Avast! to be analysed.

[Pondus]

4 weeks old ..... Maybe this is why

CopyrightAdobe® Flash® Player. Copyright © 1996-2014 Adobe Systems Incorporated. All Rights Reserved. Adobe and Flash are either trademarks or registered trademarks in the United States and/or other countries.
Publisher Adobe Systems Incorporated
Product Shockwave Flash
Original name SAFlashPlayer.exe
Internal name Adobe Flash Player 15.0
File version 15,0,0,222
Description Adobe Flash Player 15.0 d0
Signature verification  Signed file, verified signature
Signing date 1:56 AM 10/27/2014
Signers   

• Adobe Systems Incorporated
• Symantec Class 3 Extended Validation Code Signing CA
• VeriSign

Counter signers   

• Symantec Time Stamping Services Signer - G4
• Symantec Time Stamping Services CA - G2
• Thawte Timestamping CA

[polonus]

Thanks Michael and Pondus for going over this and for holding the avast detection pulse again on this one... 

VT states it is a probably harmless executable file. The main issue here is the Google Safebrowsing Alert for PHISHING.
Other issues that coming through with a download are probably adware related, see:
http://www.worldguide.pt/clean-mx/viruses.php?email=abuse@leaseweb.us&sort=id%20DESC&response=alive
But again Clean MX says all these alerts for malcode are alive and kicking!

polonus

[Michael (alan1998)]

4 weeks old ..... Maybe this is why

CopyrightAdobe® Flash® Player. Copyright © 1996-2014 Adobe Systems Incorporated. All Rights Reserved. Adobe and Flash are either trademarks or registered trademarks in the United States and/or other countries.
Publisher Adobe Systems Incorporated
Product Shockwave Flash
Original name SAFlashPlayer.exe
Internal name Adobe Flash Player 15.0
File version 15,0,0,222
Description Adobe Flash Player 15.0 d0
Signature verification  Signed file, verified signature
Signing date 1:56 AM 10/27/2014
Signers   

• Adobe Systems Incorporated
• Symantec Class 3 Extended Validation Code Signing CA
• VeriSign

Counter signers   

• Symantec Time Stamping Services Signer - G4
• Symantec Time Stamping Services CA - G2
• Thawte Timestamping CA

Question...

Why would they host a legit Adobe file, when, Google deemed them a phishing Website? I just find that odd.

[polonus]

That nameserver there for requiredfix dot com,198.7.56.114, ns1.reg dot ru, Parked/expired,
sure has a bad rep, read: http://blog.sucuri.net/2012/07/new-web-malware-attacks-from-ruin-cgi16.html and
http://blog.sucuri.net/2012/08/very-good-malware-redirection.html
Fraud, spam and a new Zeus Feodo server? http://www.malwareurl.com/ns_listing.php?ns=ns1.reg.ru
and http://www.malwaredomainlist.com/forums/index.php?topic=3618.440;wap2

Google Safebrowsing is not blocking users in GoogleChrome and firefox just for fun, they certainly have a reason there.
But hard to tell what was out there before: http://evuln.com/tools/malware-scanner/requiredfix.com/

pol

[Michael (alan1998)]

Yeah, I certainly don't trust that file, or those websites. Just my thought though!

[polonus]

Hi Michael,

Good reasoning especially when you have reason for doubt.
Golden rule is"Do not trust a thing, and once bitten means twice shy".
If only the happy clickers on the Internet would realize, we could all sleep a bit easier,

Damian

[Michael (alan1998)]

Hey Polonus. Do that Magic stuff you do to this website...

hxxp://dtbgswas.flingsecure.c0m

Some *hole is spamming me on skype with it, so I wouldn't trust it!!

Randomest crap ever:
http://i.imgur.com/1p7SeOa.png

(I've edited the photo to take out the names and Skype's of the people and I so they don't get unwillingly spammed, except the idiot who started chatting me).

By The way, in all likely-hood, it's a bot.

Notes: If you catch any names except super.juicy1, please let me know ASAP in a PM with a location so I can remove it. There are some on there that live out in Australia, and prefer not to be woken at 2AM there time!!

edit: Forgot to break the link!! Sorry!

[polonus]

Hi Michael,

Know that Skype ads have been compromised, block and also everything outside of your known contacts.
Well what came up on dtbgswas dot flingsecure dot c0m?
It redirected this time to htxp://secureinvite.com/SexyCrista utm_source=addon&utm_content=popup
(this scam/fake site comes up via skype and ask for your credit info)....
Re: bad web rep - https://www.mywot.com/en/scorecard/secureinvite.com?utm_source=addon&utm_content=popup
See the IP badness history: https://www.virustotal.com/nl/ip-address/75.126.100.15/information/
Kazy and Bancos spread from there. -> dtbgswas.flingsecure dot com,75.126.100.15,,Parked/expired,

Bingo the malware and description of it: http://antivirus-alarm.ru/proverka/?url=xg4YEl29.live-invite.com
At the crux of it: api.traffixtrack dot com/splashlog.php?ua=Mozilla%2F4.0+%28compatible%3B+MSIE+5.5%3B+Windows+NT+5.0%29&ip=66.108.//185.88&site=SecureInvite&ref=htxp%3A%2F%2Fhttp%3A%2F%2FwXw.ask.com%2Fweb%3Fq%3Dpuppies&splash=%2FSexyCrista
     info: [img] api.traffixtrack dot com/pixel.php?p=1&a=1-1001118-95 (api.traffixtrack.com get a Trust Score of 0%)

So yes, I think we have stumbled upon something hitherto not detected   

First a server redirect: Code: 302,  hxtp://secureinvite.com/sexycrista

Redirect to external server!

iFrame check: Suspicious

/inner_smn.php'
/contents-cc.html'

Javascript Check: Suspicious

<iframe src="/inner_smn.php" scrolling="no" frameborder="0" style="margin:0 0 10px 15px; padding: 0;" height="180" width=

Some conversion hack played out here?

polonus

[Michael (alan1998)]

Yeah, this skype bot isn't the only one to have attempted the same trick on me.

Previously this year some one tried the same thing. Same Fling thing, just slightly different. It, has been blocked on Skype and reported as spam to Skype for investigation and possible banning (If that's even possible).

Not surprising about the CC info, they were looking for at all. Thankfully, at 16, I'm not permitted to own a Credit Card, even if I was, dare not I use it on some stupid site like that (Or any other porn one for that matter).

Btw, that Antivirus-Alarm.ru site link, is in Russian I think, and I cannot read it!

[polonus]

The English translation is here: https://translate.google.nl/translate?sl=ru&tl=en&js=y&prev=_t&hl=nl&ie=UTF-8&u=http%3A%2F%2Fantivirus-alarm.ru%2Fproverka%2F%3Furl%3Dxg4YEl29.live-invite.com&edit-text=
The title is that you fell victim to a robot and that is why no virus has been detected
Type of test: complete (antivirus-alarm + global anti-virus databases)

List of files scanned:

1. htxp://translate.google.com/translate_a/element.js?cb=googleTranslateElementInit, type: javascript

2. htxp://xg4YEl29.live-invite.com/contents-cc.html, type: iframe html

3. htxp://xg4YEl29.live-invite.com, type: html

4. htxp://xg4YEl29.live-invite.com/js/citycrush/nwmatcher-1.2.5.js, type: javascript

5. htxp://xg4YEl29.live-invite.com/js/citycrush/selectivizr.js, type: javascript

6. htxp://xg4YEl29.live-invite.com/js/citycrush/html5.js, type: javascript

7. htxp://xg4YEl29.live-invite.com/js/citycrush/css3-mediaqueries.js, type: javascript

8. htxp://xg4YEl29.live-invite.com/js/newcrush/jquery-1.js, type: javascript

9. htxp://xg4YEl29.live-invite.com/js/citycrush/jquery.js, type: javascript

10. htxp://xg4YEl29.live-invite.com/js/citycrush/jquery_002.js, type: javascript

11. htxp://xg4YEl29.live-invite.com/js/newcrush/scrollto.js, type: javascript

12. htxp://xg4YEl29.live-invite.com/js/citycrush/default.js, type: javascript

Thanks again, Michael, for finding this one up and reporting it to the support forums.
t was quite interesting for me to be able to dissect this robotic Skype-driven threat.
Be aware of with what ill/evil/fake and scam bot you communicate,
else "sexy what's her name" gonna ask for your credit card again

Damian

[Michael (alan1998)]

You're quite welcome :-)