Avast WEBforum

Other => Viruses and worms => Topic started by: polonus on October 06, 2015, 03:25:55 PM

Title: pbid.pro-market.net adware on website flagged....
Post by: polonus on October 06, 2015, 03:25:55 PM

See: https://urlquery.net/report.php?id=1444136717832
Detection missed: https://www.virustotal.com/nl/url/0e93da8bd3c2552487d1210b482b132f75431b3b83a6a1c822fa6664879fefa9/analysis/
and https://www.virustotal.com/nl/file/6e78d66dceb735565164965c6074c76349cc32f6c59d6b275d3bca0a34ccf654/analysis/1443540257/
and https://sitecheck.sucuri.net/results/www.hercampus.com#sitecheck-details
and http://quttera.com/detailed_report/www.hercampus.com

See: -http://www.domxssscanner.com/scan?url=http%3A%2F%2Fwww.hercampus.com%2Fgwu

anProfile third party cookie classified as Targeting/Advertising by -pbid.pro-market.net ->
http://www.domxssscanner.com/scan?url=http%3A%2F%2Fpbid.pro-market.net
Read about their cookie: http://cookiepedia.co.uk/cookie/316268
uMatrix Google chrome extension has prevented the following page from loading for me:
-http://pbid.pro-market.net/

For script tracking results see tracker tracker report attached. (Retrieving: http://www.googletagservices.com/tag/js/gpt.js
Error: insufficient webdata received (connection may not have been established)
-> --http://www.domxssscanner.com/scan?url=http%3A%2F%2Fwww.googletagservices.com%2Ftag%2Fjs%2Fgpt.js+

The PUP detection for the almond.net adware can seen confirmed here: https://www.reasoncoresecurity.com/almond-min.js-b47d34183a52fa603d6264e420bb6c78d0d29f71.aspx

polonus (volunteer website security analyst and website error-hunter)

Title: Re: pbid.pro-market.net adware on website flagged....
Post by: Para-Noid on October 06, 2015, 04:05:15 PM

Do some clicking around here http://push2check.net/hercampus.com

Title: Re: pbid.pro-market.net adware on website flagged....
Post by: polonus on October 06, 2015, 04:09:53 PM

OK, Graig, right on track. Good resources and I bookmarked these already  ;)

Well my report was not having all the bad adware stuff, there was also something like a link to EZ-toolbar downloader, an item we certainly like to avoid. So there was another third party link alerted in the urlquery dot net report for -cdn.mxpnl.com with the EZ-toolbar downloader

Adware! Detections for the domain: https://www.virustotal.com/nl/domain/cdn.mxpnl.com/information/
HTTPS Everywhere Atlas info: https://www.eff.org/https-everywhere/atlas/domains/mxpnl.com.html
Quttera flags: Quttera Labs - domain is Clean.
"The malware entry is cached and may not reflect the current status of the domain."

See: -http://www.domxssscanner.com/scan?url=https%3A%2F%2Fcdn.mxpnl.com%2Flibs%2Fmixpanel-2.2.min.js *
going through: -http://www.localsearch.com.au/resources/pluto/javascripts/main-home.min.js (The Superpages mobile app
seems OK).

* We cannot dive into every issue and vulnerability here, but this I do not like to keep from you - a source for XSS exploit with "c.localStorage.set" as source, read: https://blog.whitehatsec.com/web-storage-security/

polonus