Avast WEBforum

Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: 1234ava on July 07, 2015, 08:28:12 PM

Title: What is this?
Post by: 1234ava on July 07, 2015, 08:28:12 PM

I had just typed in www.google.com in Chrome's address bar and opened google search page (actually it is redirected to https://www.google.it, but that's fine, as I am in Italy)...
besides I was taking a glance at the SimilarWeb chrome extension I installed recently https://chrome.google.com/webstore/detail/similarweb-site-traffic-s/hoklmmgfnpapgjgcpechhaamimifchmp (https://chrome.google.com/webstore/detail/similarweb-site-traffic-s/hoklmmgfnpapgjgcpechhaamimifchmp) (a pop-up showing the ranking of each site and more info)...

then an Avast "Infection Blocked" window popped-up:
Infection Details:
URL: hXXp://69.28.58.10/favicon.ico
[URL broken so as to avoid accidental exposure, like DavidR suggested]
Infection: URL:Mal
Process: C:\Program Files (x86)\Google\Chrome\Application\chrome.exe

An IP Lookup says that 69. 28. 58. 10 belongs with web10. alexiadns. com

Let me add that:
It's the first detection.
I have Hardened mode enabled (Aggressive), UOC set to always, and double check all programs before install with virustotal.com
Also I don't run js on sites I don't trust.
I use opendns.
According to MBAM scan, PC is clean.

Therefore I am inclined to think it was either a FP or the infected favicon was blocked anyway before it could do harm.

Title: Re: What is this?
Post by: DavidR on July 07, 2015, 09:13:40 PM

First break the link to a suspect site so as to avoid accidental exposure - hXXp://69.28.58.10/favicon.ico

For me the IP turns up a different ISP C3 Networks.

There is a possibility that it may have been hacked as modifying the favicon.ico file is a common symptom. Instead of a small icon appearing in the address bar code can be introduced to try and execute a drive by malware infection.

The favicon.ico file would have been first intercepted, checked and if found or considered infected it wouldn't have been loaded or run by the browser. Avast would have aborted that connection to prevent it being downloaded into the browser cache and into the browser..

Title: Re: What is this?
Post by: 1234ava on July 07, 2015, 09:30:27 PM

Thanks for the reply, David.

Yes, ISP is C3 Networks: I only reported the host name before.
Here is the complete info I get from whatismyipaddress.com IP Lookup

IP:   69. 28. 58. 10
Decimal:   1159477770
Hostname:   web10. alexiadns. com
ASN:   21859
ISP:   C3 Networks
Organization:   C3 Networks
Services:   None detected
Type:   Corporate
Assignment:   Static IP
Blacklist status:   
listed in b.barracudacentral.org and l2.apews.org
not listed in any other blacklists


Geolocation Information
Continent:   North America
Country:   United States us flag
State/Region:   Virginia
City:   Herndon
Latitude:   38.9266  (38° 55′ 35.76″ N)
Longitude:   -77.3936  (77° 23′ 36.96″ W)
Postal Code:   20171
 

Title: Re: What is this?
Post by: DavidR on July 07, 2015, 10:34:55 PM

You're welcome.

I don't believe you need to do anything further as avast should have prevented any malicious action.

I also did a quick check but didn't find anything specific on the IP, http://urlquery.net/report.php?id=1436300696639 (http://urlquery.net/report.php?id=1436300696639).
Though C3 Networks Inc, seems to host other sites for that ASN,

Quote from: Wikipedia

Autonomous System Number, an identifier for a collection of IP networks and routers under the control of one entity