Avast WEBforum
Other => Viruses and worms => Topic started by: true indian on July 02, 2012, 11:40:11 AM
-
This website is a vector to and has a lot of chances to lead into redirect to malicious fake Scan URL:
hxxp://gulfoilspillsupport.com/caspharma
it leads to a fake Scan URL that is dead at the moment..its:
Hxxp://threatinfectionservent.info/68efd410a6a48b3c/2/
but the vector still tries to redirect to fakeAV's on 96.44.181.171
However,when visiting the 1st vector URL avast web shield cleanly blocks the redirector which is .css file on gulfoilspillsupport.com/css/Analytical-Testing-Services.css and flags it as JS:Redirector-WH[Trj]
and prevents any further connections to any fake Scan IP...this is what is accuracy and prevention where it counts! ;)
Both urlquery and zulu stay silent:
http://urlquery.net/report.php?id=80093
http://zulu.zscaler.com/submission/show/4dc65f816b4e443e81755f372577044d-1341222153
-
So since Avast blocks 2-3 urls in that case,we are all protected?
Seems legit.
-
So since Avast blocks 2-3 urls in that case,we are all protected?
Seems legit.
Hi Left123,
avast doesnt block the vector URL [gulfoilspillsupport.com] but it blocks the css file from the site that is responsible for fake AV redirection... ;)
so thats a very very early detection and prevention of the malware...yes avast does make a IP block for the fakescan IP and the .exe fakeAV download on the site is also detected... :)
Yep! we are all protected! ;)
-
Hi true indian,
Bitdefender TrafficLight flags the site as unsafe. Also see what WOT has:
http://www.mywot.com/en/scorecard/gulfoilspillsupport.com?utm_source=addon&utm_content=popup-donuts
Site with Wordpress backdooring....Blackhole IP & PHP malware IP. Malware,
JS:Trojan.JS.Dropper.D, at this particular site was closed:2012-07-02 13:42:37
I see: /css/Analytical-Testing-Services.css HTTP/1.1
Host: gulfoilspillsupport dot com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13
Accept: text/css,*/*;q=0.1
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: htxp://gulfoilspillsupport.com/caspharma/
HTTP/1.1 301 Moved Permanently
X-Pingback: htxp://www.gulfoilspillsupport.com/xmlrpc.php (in xmlrpc.php there is the WP vulnerability)
XML-RPC server accepts POST requests only. (vulnerable to create hacked WordPress backdoors).
Well urlquery also produces IDS alerts for that site, denoting javascript anomalities.
WordPress could allow a remote authenticated attacker to bypass security restrictions, caused by improper validation by the xmlrpc.php script. A remote attacker with contributor permissions could exploit this vulnerability to publish posts to the Web site.
quote taken from Digging into WP from article author Jeff Starr.
polonus
-
aahha!! again thanks for the detailed explaination Pol ;)