« previous next »
Pages: [1]   Go Down

Author Topic: Is this site secure?  (Read 5789 times)

0 Members and 1 Guest are viewing this topic.

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33897
  • malware fighter
Is this site secure?
« on: October 28, 2012, 04:13:22 PM »
See: 653077   2012-10-27   bit dot ly        69.58.188.39    69.58.188.40   30060 30060    htxp://bit.ly/OtoduX  on Live Badmaleweb
The location line in the header above has redirected the request to: htxp://www.socialsportnews.com/videoofday.php
Blacklisted here: http://www.siteadvisor.com/sites/socialsportnews.com
http://urlquery.net/report.php?id=260144  See IDS alert
OpenX ad server installed: htxp://banners.adcontrol.com/openx/www/delivery/
see: http://www.mywot.com/en/scorecard/banners.adcontrol.com

polonus
Logged
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline !Donovan

  • Web Analyst
  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 2219
    • The WAR Against Malware
Re: Is this site secure?
« Reply #1 on: October 28, 2012, 04:59:30 PM »
Hi Polonus,

I'd assume infected, given the domain map here: http://urlquery.net/domainmap.php?id=260144

The OpenX calls loadus.exelator, note the exe, which I find suspicious.

Also see this: http://answers.microsoft.com/en-us/protect/forum/mse-protect_scanning/what-is-loadusexelerator/2ee9a0c3-985f-e011-8dfc-68b599b31bf5

And this: http://support.clean-mx.de/clean-mx/view_evidence?e=old&id=1106549&table=viruses
A malware sample found on the site last year.
Notice the hidden image and the hidden iframe to hXtp://loadus.exelator.com/load/net.php?n=PGltZ....
The virustotal results returned nothing: https://www.virustotal.com/file/587b9b7abea55021e2d704bb23af4840b6bb00d9f3caa43c50dba22471bdfa38/analysis/
Note that however, these results are from last year.

There is also a hidden iframe on the site that leads to hXtp://view.atdmt.com/iaction/adoapn_AppNexusDemoActionTag_1
Then another that leads to "hXtp://cdn.turn.com/server/ddc.htm?uid=3551504531481064966&mktid=67&mpid=&fpid=-1&rnd=7010269045301605894&nu=y&sp=n&ctid=1
There is also a mention of a hidden div with the id of cw_td_8120488
Potential malware was found at hXtp://s0.2mdn.net/1384245, who is also the host of the swf file and most likely alerting the "FILEMAGIC Macromedia Flash data (compressed)" found on urlQuery.
Resource: http://wepawet.iseclab.org/view.php?hash=7b59c153a4aa915ef74cf1190a3c8d39&t=1351438980&type=js

So in summary, this site is blacklisted for a reason,

~!Donovan
Logged
Familiarize Yourself! | Educate Yourself! | Beautify Yourself! | Scan Yourself!
"People who say it cannot be done should not interrupt those who are doing it."

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33897
  • malware fighter
Re: Is this site secure?
« Reply #2 on: October 28, 2012, 09:47:07 PM »
Hi !Donovan,

Thank you for your analysis and report of this drive-by malware.
This is an interesting write up on loadus.exelator: http://www.techrepublic.com/blog/security/uncloaking-invisible-iframes/8282  by author Michael Kassner.
Summa summarum: There is no malware within the iframe itself, just a link to another
site that will attempt the exploit. And additionally know that NoScript extension in fx protects us against such drive-=by malware for Java malcode.
Creating errors from the Java Runtime Environment: as
#
#  EXCEPTION_ACCESS_VIOLATION (0xc0000005) at pc=0x7768de2d, pid=6960, tid=5736
#
So another reason to keep Java fully updated or run it on demand or de-activate it in the browser or even uninstall it (the last advice is not supported by avast officially, but some feel like this),

polonus
Logged
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!
Pages: [1]   Go Up
« previous next »