Avast WEBforum

Other => Viruses and worms => Topic started by: true indian on July 02, 2012, 11:40:11 AM

Title: See how avast! Web shield cleanly prevents us!!
Post by: true indian on July 02, 2012, 11:40:11 AM

This website is a vector to and has a lot of chances to lead into redirect to malicious fake Scan URL:
hxxp://gulfoilspillsupport.com/caspharma

it leads to a fake Scan URL that is dead at the moment..its:
Hxxp://threatinfectionservent.info/68efd410a6a48b3c/2/

but the vector still tries to redirect to fakeAV's on  96.44.181.171

However,when visiting the 1st vector URL avast web shield cleanly blocks the redirector which is .css file on gulfoilspillsupport.com/css/Analytical-Testing-Services.css  and flags it as JS:Redirector-WH[Trj]

and prevents any further connections to any fake Scan IP...this is what is accuracy and prevention where it counts!  ;)

Both urlquery and zulu stay silent:
http://urlquery.net/report.php?id=80093
http://zulu.zscaler.com/submission/show/4dc65f816b4e443e81755f372577044d-1341222153

Title: Re: See how avast! Web shield cleanly prevents us!!
Post by: Left123 on July 02, 2012, 12:39:03 PM

So since Avast blocks 2-3 urls in that case,we are all protected?
Seems legit.

Title: Re: See how avast! Web shield cleanly prevents us!!
Post by: true indian on July 02, 2012, 12:44:50 PM

Quote from: Left123 on July 02, 2012, 12:39:03 PM

So since Avast blocks 2-3 urls in that case,we are all protected?
Seems legit.

Hi Left123,

avast doesnt block the vector URL [gulfoilspillsupport.com] but it blocks the css file from the site that is responsible for fake AV redirection... ;)

so thats a very very early detection and prevention of the malware...yes avast does make a IP block for the fakescan IP and the .exe fakeAV download on the site is also detected...  :)

Yep! we are all protected! ;)

Title: Re: See how avast! Web shield cleanly prevents us!!
Post by: polonus on July 02, 2012, 07:44:02 PM

Hi true indian,

Bitdefender TrafficLight flags the site as unsafe. Also see what WOT has:
http://www.mywot.com/en/scorecard/gulfoilspillsupport.com?utm_source=addon&utm_content=popup-donuts

Site with Wordpress backdooring....Blackhole IP & PHP malware IP. Malware,
JS:Trojan.JS.Dropper.D, at this particular site was closed:2012-07-02 13:42:37

I see: /css/Analytical-Testing-Services.css HTTP/1.1
Host: gulfoilspillsupport dot com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13
Accept: text/css,*/*;q=0.1
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: htxp://gulfoilspillsupport.com/caspharma/
HTTP/1.1 301 Moved Permanently
X-Pingback: htxp://www.gulfoilspillsupport.com/xmlrpc.php (in xmlrpc.php there is the WP vulnerability)
XML-RPC server accepts POST requests only. (vulnerable to create hacked WordPress backdoors).

Well urlquery also produces IDS alerts for that site, denoting javascript anomalities.

Quote

WordPress could allow a remote authenticated attacker to bypass security restrictions, caused by improper validation by the xmlrpc.php script. A remote attacker with contributor permissions could exploit this vulnerability to publish posts to the Web site.

quote taken from Digging into WP from article author Jeff Starr.

polonus

Title: Re: See how avast! Web shield cleanly prevents us!!
Post by: true indian on July 03, 2012, 11:00:38 AM

aahha!! again thanks for the detailed explaination Pol  ;)