Avast WEBforum
Other => Viruses and worms => Topic started by: polonus on December 02, 2011, 03:21:30 PM
-
Hi forum friends,
See: http://www.virustotal.com/url-scan/report.html?id=84682f626881a46754421a2ab5eadcbc-1322830522
See: http://www.virustotal.com/file-scan/report.html?id=d521721cdf6dfcf6c5af0bf883546f20c4a6b2fffa43bff9611a98a12482b144-1322834317
Also see: http://urlquery.net/report.php?id=10246
Is this malware or a PUA FP?
Suspicious is: -raoban123.com/modules/superfishmenu/tmpl/js/jquery.js suspicious
[suspicious:2] (ipaddr:123.30.181.45) (script) -raoban123.com/modules/superfishmenu/tmpl/js/jquery.js
status: (referer=-raoban123.com/)saved 55774 bytes 1be9c3684054001f53fa7ff6d85ec3cb573a9cd2
info: ActiveXDataObjectsMDAC detected Microsoft.XMLHTTP
info: [decodingLevel=0] found JavaScript
suspicious: maxruntime exceeded 10 seconds (incomplete) 0 bytes
This from there seems now to lead nowhere: -vnpokers.net/ benign
[nothing detected] (iframe) -vnpokers.net/
status: (referer=-raoban123.com/)failure: <urlopen error [Errno -3] Temporary failure in name resolution> This might have been flagged as heuristic find of HTML-Iframe earlier,
but domain does not exist or is inaccessible (-vnpokers dot net),
polonus
-
Sucuri say infected http://sucuri.net/malware/malware-entry-mwiframehd202
Wepawet
http://wepawet.iseclab.org/view.php?hash=84682f626881a46754421a2ab5eadcbc&t=1322838875&type=js
-
Hi Pondus,
I agree with you, but the redirect is dead now. Try and check if -vnpokers.net is up,
so I agree with you and sucuri's that the site is still vulnerable for that malware attack but it is not actually infecting. Can tou confirm that? Sucuri should cleanse out their daily dirt and this seems to be part of it, a malware redirect that is dead and no longer up, is water under the bridge,
polonus
-
The fact that the remote source isn't active is no guarantee that it won't become active. The simple insertion of the iframe is the infection/exploit not the payload at the remote source.
That is why in the past all I do is confirm that the hack/exploit is in place (so the alert on that site by avast is correct and has to be addressed by them) and don't care what payload is present (or not) at the remote location.
If the vnpokers domain is in the network shield malicious sites list that too should alert over and above the possibility the web shield alerts on the inserted iframe. The actual payload isn't analysed, I think there is something about this for avast7 that this remote payload would be checked.
How this will be done is the thing, possibly via cloud to pass link to remote source for analysis as this is likely to improve detection on the remote content, should it ever arrive on your system. Since much of this is likely to be driveby/rogue security stuff that is ever changing, this should improve detections in this category of malware.
-
Hi DavidR,
Agree that a site that has been compromised in this way is suspicious and could become malicious again through re-infection or through the same or other malcreants. So the first priority is to flag it and the Mal_Hifrm should be removed and the software exploit through which the malware could be installed should be patched.
So you agree that a site being flagged for a redirect to malware that has been taken down should still be flagged or blacklisted until the suspicious code has been completely been removed?
polonus
-
Yes, until that iframe (and or any other insertions) is removed and the exploit cleared it is still compromised and at risk of infecting unsuspecting users.
-
Hi forum friends,
See: http://www.virustotal.com/file-scan/report.html?id=fbcf8ae1bc0da7c62f89ecb2091fcb9096c910ca41cb664ab269781ebdd8cdaf-1322953963
Another case of Mal_Hfirm and consequent defacement of -http://www.cheviva.com/index.php
Sucuri gives: =http://www.cheviva.com/index.php
status: Site infected with malware
web trust: Not Blacklisted
Malware found in the URL:
-http://www.cheviva.com/index.php
Web site defaced.
Details: http://sucuri.net/malware/entry/MW:DEFACED:01
^html^h1^Hacked by linuXploit_crew ..code removed (pol) ^/iframe 0 0 0
Malware found in the URL:
-http://www.cheviva.com/index.php/404testpage4525d2fdc
polonus