Author Topic: Site has Mal_Hifrm - does avast detect?  (Read 4602 times)

0 Members and 1 Guest are viewing this topic.

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Site has Mal_Hifrm - does avast detect?
« on: December 02, 2011, 03:21:30 PM »
Hi forum friends,

See: http://www.virustotal.com/url-scan/report.html?id=84682f626881a46754421a2ab5eadcbc-1322830522
See: http://www.virustotal.com/file-scan/report.html?id=d521721cdf6dfcf6c5af0bf883546f20c4a6b2fffa43bff9611a98a12482b144-1322834317
Also see: http://urlquery.net/report.php?id=10246
Is this malware or a PUA FP?
Suspicious is: -raoban123.com/modules/superfishmenu/tmpl/js/jquery.js suspicious
[suspicious:2] (ipaddr:123.30.181.45) (script)  -raoban123.com/modules/superfishmenu/tmpl/js/jquery.js
     status: (referer=-raoban123.com/)saved 55774 bytes 1be9c3684054001f53fa7ff6d85ec3cb573a9cd2
     info: ActiveXDataObjectsMDAC detected Microsoft.XMLHTTP
     info: [decodingLevel=0] found JavaScript
     suspicious: maxruntime exceeded 10 seconds (incomplete) 0 bytes
This from there seems now to lead nowhere: -vnpokers.net/ benign
[nothing detected] (iframe) -vnpokers.net/
     status: (referer=-raoban123.com/)failure: <urlopen error [Errno -3] Temporary failure in name resolution> This might have been flagged as heuristic find of HTML-Iframe earlier,
but domain does not exist or is inaccessible (-vnpokers dot net),

polonus

Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37506
  • Not a avast user
Re: Site has Mal_Hifrm - does avast detect?
« Reply #1 on: December 02, 2011, 04:12:19 PM »
Sucuri say infected  http://sucuri.net/malware/malware-entry-mwiframehd202


Wepawet
http://wepawet.iseclab.org/view.php?hash=84682f626881a46754421a2ab5eadcbc&t=1322838875&type=js
« Last Edit: December 02, 2011, 04:17:57 PM by Pondus »

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: Site has Mal_Hifrm - does avast detect?
« Reply #2 on: December 02, 2011, 04:23:14 PM »
Hi Pondus,

I agree with you, but the redirect is dead now. Try and check if -vnpokers.net is up,
so I agree with you and sucuri's that the site is still vulnerable for that malware attack but it is not actually infecting. Can tou confirm that? Sucuri should cleanse out their daily dirt and this seems to be part of it, a malware redirect that is dead and no longer up, is water under the bridge,

polonus

Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88897
  • No support PMs thanks
Re: Site has Mal_Hifrm - does avast detect?
« Reply #3 on: December 02, 2011, 04:56:00 PM »
The fact that the remote source isn't active is no guarantee that it won't become active. The simple insertion of the iframe is the infection/exploit not the payload at the remote source.

That is why in the past all I do is confirm that the hack/exploit is in place (so the alert on that site by avast is correct and has to be addressed by them) and don't care what payload is present (or not) at the remote location.

If the vnpokers domain is in the network shield malicious sites list that too should alert over and above the possibility the web shield alerts on the inserted iframe. The actual payload isn't analysed, I think there is something about this for avast7 that this remote payload would be checked.

How this will be done is the thing, possibly via cloud to pass link to remote source for analysis as this is likely to improve detection on the remote content, should it ever arrive on your system. Since much of this is likely to be driveby/rogue security stuff that is ever changing, this should improve detections in this category of malware.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: Site has Mal_Hifrm - does avast detect?
« Reply #4 on: December 02, 2011, 07:51:57 PM »
Hi DavidR,

Agree that a site that has been compromised in this way is suspicious and could become malicious again through re-infection or through the same or other malcreants. So the first priority is to flag it and the Mal_Hifrm should be removed and the software exploit through which the malware could be installed should be patched.
So you agree that a site being flagged for a redirect to malware that has been taken down should still be flagged or blacklisted until the suspicious code has been completely been removed?

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88897
  • No support PMs thanks
Re: Site has Mal_Hifrm - does avast detect?
« Reply #5 on: December 02, 2011, 08:14:33 PM »
Yes, until that iframe (and or any other insertions) is removed and the exploit cleared it is still compromised and at risk of infecting unsuspecting users.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: Site has Mal_Hifrm - does avast detect?
« Reply #6 on: December 04, 2011, 12:24:09 AM »
Hi forum friends,

See: http://www.virustotal.com/file-scan/report.html?id=fbcf8ae1bc0da7c62f89ecb2091fcb9096c910ca41cb664ab269781ebdd8cdaf-1322953963

Another case of Mal_Hfirm and consequent defacement of -http://www.cheviva.com/index.php
Sucuri gives: =http://www.cheviva.com/index.php
status:   Site infected with malware
web trust:     Not Blacklisted

Malware found in the URL:
-http://www.cheviva.com/index.php

Web site defaced.
Details: http://sucuri.net/malware/entry/MW:DEFACED:01

^html^h1^Hacked by linuXploit_crew ..code removed (pol) ^/iframe 0 0 0
Malware found in the URL:
-http://www.cheviva.com/index.php/404testpage4525d2fdc

polonus
« Last Edit: December 04, 2011, 12:26:35 AM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!