Author Topic: Malicious website or false positive? (Read 5362 times)

mbd35 · « **on:** September 09, 2011, 06:10:19 PM »

I stumbled upon this while clicking on chihuahua pictures in google image search. Avast web shield says that it is a virus.

ht tp://kickboxteam-freiburg.de

polonus · « **Reply #1 on:** September 09, 2011, 08:06:11 PM »

Hi mbd35,

The malware must somehow be at the google image search site,
because the site you mention in your posting is not infected
as far as I can establish so far, maybe someone has some new facts:

Sucuri results:
web site:    -kickboxteam-freiburg.de
status:     Verified Clean
web trust:     Not Blacklisted
http://www.virustotal.com/url-scan/report.html?id=fadede2fc2be171de08449b3a1b0110c-1315578883
http://urlquery.net/report.php?id=2736
http://siteinspector.comodo.com/public/reports/323362
http://www.unmaskparasites.com/web-page-options/?url=http%3A//kickboxteam-freiburg.de
http://wepawet.iseclab.org/view.php?hash=7529822027af4bb96cacb8127eec1771&t=1315591023&type=js
http://www.virustotal.com/file-scan/report.html?id=fa0a3551d0acf485126b680f3680e40cc8482dec40e0cf4dca3f332edd71c223-1315590989

On the other hand the hosting site could have been compromised with Trojan-PSW.Win32.Kates.
We have found one hundred active domains residing on 81.169.145.72 w08 dot rzone dot de.
Blacklisted URLs: 394, see: http://sitevet.com/db/asn/AS6724

polonus

mbd35 · « **Reply #2 on:** September 09, 2011, 08:40:49 PM »

Interesting.

The site seems to redirect to another site that does hae the virus. When I load the url in Firefox, it takes me to here: ht tp://nxuyeattention.info/main.php?page=e4a6f1dda2879502

And I get a "Malicious Url Blocked" popup from Avast.

polonus · « **Reply #3 on:** September 09, 2011, 10:48:53 PM »

DrWeb URL checker finds it:

Checking: -http://nxuyeattention.info/main.php?page=e4a6f1dda2879502
Engine version: 5.0.2.3300
Total virus-finding records: 2570426
File size: 174.99 KB
File MD5: f794caa51589c231fa7e2c435c309e2c

-http://nxuyeattention.info/main.php?page=e4a6f1dda2879502 - archive HTML
>-http://nxuyeattention.info/main.php?page=e4a6f1dda2879502/Script.0 infected with Exploit.JavaScript.160 which avast also finds as JS:Downloader-AYC [Trj]
as is being demonstrated here: http://www.virustotal.com/url-scan/report.html?id=9443edbad713ad3c844cf92e6c680435-1315593644
&
http://www.virustotal.com/file-scan/report.html?id=ddb847dcf5788bc748ec30b1ecde3d46556d2f4a073fa285f29460db3434ef1e-1315600848

Good analysis mbd35, so your find is confirmed,

polonus

mbd35 · « **Reply #4 on:** September 09, 2011, 11:10:43 PM »

That's unfortunate that searching something as innocuous as chihuahua photos on google can give you a virus. People need good protection these days. Thanks, Avast.

polonus · « **Reply #5 on:** September 09, 2011, 11:47:02 PM »

Hi mbd35,

Yes thousands of hacked sites have poisoned google's image search results,
so scan every image link before you decide to click and download.

When one has WOT installed that helps, be guided by the green results,
also DrWeb's URL checker can guide, example:
-http://www.google.nl/imgres?q=image+result& etc. etc and redirects to
-http://www.google.com/imghp

Checking: -http://www.google.com/imghp
Engine version: 5.0.2.3300
Total virus-finding records: 2570561
File size: 13.66 KB
File MD5: ea0242c1558147d986d840f6fc19ef99

-http://www.google.com/imghp - archive HTML
>-http://www.google.com/imghp/Script.0 - Ok
>-http://www.google.com/imghp/Script.1 - Ok
>-http://www.google.com/imghp/Script.2 - Ok
>-http://www.google.com/imghp/Script.3 - Ok
>-http://www.google.com/imghp/Script.4 - Ok
>-http://www.google.com/imghp/Script.5 - Ok
-http://www.google.com/imghp - Ok

Furthermore you have the protection of the avast shields and they are really good here.
But an ounce of precaution taken outweighs ever so many pounds of cleansing afterwards,

polonus

DavidR · « **Reply #6 on:** September 10, 2011, 12:02:31 AM »

Google images are seeded with lots of crafted URL that end up taking you to a site which has been hacked and could redirect you to a malicious site (as in this case). Google were meant to be rooting out these bad links, but it doesn't appear that they have had a lot of success, given the size of the google image database this certainly can't be an easy thing.

polonus · « **Reply #7 on:** September 10, 2011, 12:12:25 AM »

Hi DavidR,

That is why this user was saved by the avast Web Shield. The importance of the avast shields here cannot be emphasized enough,

polonus

DavidR · « **Reply #8 on:** September 10, 2011, 12:16:27 AM »

Yes, the web shield is probably the most effective of all the shields, certainly for this and the network shield is also helpful if the malicious sites are also on its list.

Asyn · « **Reply #9 on:** September 10, 2011, 12:19:55 AM »

Quote from: polonus on September 10, 2011, 12:12:25 AM

That is why this user was saved by the avast Web Shield. The importance of the avast shields here cannot be emphasized enough,
polonus

+1

Author Topic: Malicious website or false positive? (Read 5362 times)

mbd35

Malicious website or false positive?

polonus

Re: Malicious website or false positive?

mbd35

Re: Malicious website or false positive?

polonus

Re: Malicious website or false positive?

mbd35

Re: Malicious website or false positive?

polonus

Re: Malicious website or false positive?

DavidR

Re: Malicious website or false positive?

polonus

Re: Malicious website or false positive?

DavidR

Re: Malicious website or false positive?

Asyn

Re: Malicious website or false positive?