Avast WEBforum
Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: REDACTED on March 15, 2016, 10:48:30 AM
-
Today I encountered a threat block by avast, I got quite paranoid since I did not open anything except a website called Ink361 that I just used to view an "instagram profile". The threat blocked was by a url from: "purehotcompany.xyz", infection: URL:MAL might it be a malicious ad that was parked there and was gone afterwards? since I refreshed the page for about an hour nothing else has come up and I know that Ink361 is a legitimate website.
Any Input would be appreciated.
Thanks and Cheers!
Zinedane
-
Avast detects a malicious loader from that IP address and flags this as Win32:Evo-gen [Susp], re: https://www.virustotal.com/nl/ip-address/188.112.149.14/information/
Re: http://urlquery.net/report.php?id=1458038006833 & https://sitecheck.sucuri.net/results/purehotcompany.xyz
and https://www.spamhaus.org/query/domain/purehotcompany.xyz
Do not panic as the detection means a suspicious file only.
polonus
-
My question is why there was suddenly a threat block caused by that specific url while I didn't even visit the site..
-
on Ink361 there are ads, so most likely purehotcompany.xyz belongs to a blacklisted ad URL
Or it may is or have been infected, this is what Sophos say
"Access to this page is blocked as the threat Mal/HTMLGen-A has been found on this website."
https://www.virustotal.com/en/url/8512ad0a1951dfbd08fcdcf4138ddfd918e1ea2abf117c73f258b8b3640d7bf7/analysis/1458049533/
-
it seems the IP just containe crap ad/sales websites as indicated by there names
https://www.virustotal.com/en/ip-address/213.102.25.54/information/
click more button under list(s) for more info
-
on Ink361 there are ads, so most likely purehotcompany.xyz belongs to a blacklisted ad URL
Or it may is or have been infected, this is what Sophos say
"Access to this page is blocked as the threat Mal/HTMLGen-A has been found on this website."
https://www.virustotal.com/en/url/8512ad0a1951dfbd08fcdcf4138ddfd918e1ea2abf117c73f258b8b3640d7bf7/analysis/1458049533/
so it's what caused the threat block correct? that Ink361 had a blacklisted ad url or it may have been infected by one at that time?
-
Spam Haus states the site, -purehotcompany.xy, is listed in the DBL
so the website blocked for a reason.
When this threat was blocked by Avast you should be OK, no malcode could have had any effect onto your device,
as Avast even prevented your computer from connecting there. Avast has saved your glorious b°h°nd. ;)
polonus
-
Spam Haus states the site, -purehotcompany.xy, is listed in the DBL
so the website blocked for a reason.
When this threat was blocked by Avast you should be OK, no malcode could have had any effect onto your device,
as Avast even prevented your computer from connecting there. Avast has saved your glorious b°h°nd. ;)
polonus
Yes and I thank avast for doing that, however i'm curious as to what caused it as I did not visit the said site. could it have been an ad on Ink361? that's my main question.
-
still boggled, did not quite understand the answers :(
-
In plain words the answer means that when Avast blocks a threat, the malware could not have made contact with your computer,
and that you had a lucky escape. Avast protected you from a malware infection! You are safe and secure!
polonus
The cause is a so-called redirect to a malware website when you visit site A that has hidden redirectcode to a malcoded site B (the site you claimed you never clicked, and you did not, but were brought there by infection) you can infested, you never willfully clicked that website but you were directed there through probably hidden obfuscated malcode. Site A could not be aware malcreants have added such a malicious hidden redirect to their website, but Avast detected it and made you could not go there by blocking it. It is a bit sinister story but malcreants work in such hideous ways to infest the unaware and those without protection from Avast.
Damian
-
Now i get it, Thank you! :) would avast also block infected or blacklisted ads? such as Pondus suggested? :)
-
In quite some instances it does, but I would run no risk whatsoever and install a good adblocker like uBlock in the browser.
With all the malicious adware around you cannot live without a decent adblocker now.
On Android I would surf as a ´two-staged rocket´ first install these two apps: Tap&Trust and AdblockBrowser. Now when you have entered your search query in the search bar on the Smartphone first click Tap&Trust and then click AdblockBrowser and your search results will open up without any ads.
polonus
-
That's really good to know especially since I also use search on my mobile! :) would an ad blocker work with my added extensions avast online security and my web of trust though? :)
I have already reported the instance to Ink361's support as I think it might have been a 1/1000 instance of a bad ad or rather a bad redirect on their page since virustotal shows nothing wrong/suspicious with their website.
-
Yep it will work.
pol
-
since virustotal shows nothing wrong/suspicious with their website.
VirusTotal does not scan websites for infections, it is checking URL against a number of blacklists
The ad URL purehotcompany.xyz is blacklisted
https://www.virustotal.com/en/url/8512ad0a1951dfbd08fcdcf4138ddfd918e1ea2abf117c73f258b8b3640d7bf7/analysis/1458219315/
It also seems to be taken down > http://www.downforeveryoneorjustme.com/http://purehotcompany.xyz/
To scan a website after a VT scan, click "additional information" tab and scroll down to bottom
Click on the Sucuri or Quttera links for website scanning
For scanning website with VT you need to get the html code and upload that to VT as a file
-
Yep it will work.
pol
Thank you! will be doing what you said for more added protection :D
-
since virustotal shows nothing wrong/suspicious with their website.
VirusTotal does not scan websites for infections, it is checking URL against a number of blacklists
The ad URL purehotcompany.xyz is blacklisted
https://www.virustotal.com/en/url/8512ad0a1951dfbd08fcdcf4138ddfd918e1ea2abf117c73f258b8b3640d7bf7/analysis/1458219315/
It also seems to be taken down > http://www.downforeveryoneorjustme.com/http://purehotcompany.xyz/
To scan a website after a VT scan, click "additional information" tab and scroll down to bottom
Click on the Sucuri or Quttera links for website scanning
For scanning website with VT you need to get the html code and upload that to VT as a file
Thank you for the tips and for clarifying my question :) really helps to know that it was indeed a rogue ad on a legit website and has been already taken down. :)