Avast WEBforum
Other => Viruses and worms => Topic started by: Mustapha15 on May 13, 2020, 09:19:37 AM
-
Why do I keep getting this warning and how can I stop it
Thank you
-
This is because of Avazu Private Exchange (APX).
A leading self-served ad exchange for publishers to convert global traffic into revenue.
Advertisers use APX as a platform for unified distribution channels,
while publishers manage their global inventories with APX.
Most adblockers etc. block this adware driven -clk.apxadtracking dot net
See: https://webiplookup.com/clk.apxadtracking.net/
for instance here: https://webiplookup.com/npy21.com/domain.htm
You do not want to be taken to an adware infested sub-domain by miscreants, do you?
See: https://exploits.shodan.io/?q=apx (command injection and buffer overflow exploits).
So often adware goes hand in hand with cybercrime and infections of some sort.
To alert you against that is the mission of any av-solution.
That is why you got alerted by avast's.
Have a peaceful day,
polonus (volunteer 3rd party cold recon website security-analyst and website error-hunter)
-
Avast blocks this as an unsafe website: -http://gulfstarsauto.com/banner/apx/shp/index/xb/
Backtracking such sites search for *apx with urlscan.io,
like with a search request like: https://urlscan.io/search/#apx%2Fshp%2Findex
and one could detect examples like this one (malicious):
https://urlscan.io/result/165c588d-a922-4739-8982-034838ae3d72/
resulting in a 100% PHISHING Score.
See the vulnerabilities that could have been exploited here:
https://www.shodan.io/host/192.210.199.68
Colo Crossing abuse on IP: https://www.virustotal.com/gui/ip-address/192.210.199.68/relations
7 engines detect this domain (burncalis dot gq), see: https://www.virustotal.com/gui/url/3a0e73b105e62407b8c14ad177862eb52bb482df1ff5205e34059859c450c668/detection
And an example where this PHISHING has been cleansed apparently (since December last):
https://urlscan.io/result/8c23cf21-d206-4095-88d6-2edeac0fadfa
polonus
-
Similar PHISHing schema found 7 months ago: -http://cardanalysis.tk-
-> https://urlscan.io/result/99869c57-38f1-4270-a165-8b6b956e8acb/
Not taken down apparently: https://aw-snap.info/file-viewer/?protocol=not-secure&ref_sel=GSP2&ua_sel=ff&chk-cache=&fs=1&tgt=Xnx9I3xufGx5c1tzLnRr~enc
VT results, 4 engines to flag: https://www.virustotal.com/gui/url/9eead6bf47d748a3dd5a41bc99e46cf2f1986c93c571fd577548e1fe2f9ccdd5/detection
At present only three to flag: https://www.virustotal.com/gui/url/9eead6bf47d748a3dd5a41bc99e46cf2f1986c93c571fd577548e1fe2f9ccdd5/detection
Status now "connection reset by peer https://httpstatuses.com/429
for Google's UA"- Re: https://sitecheck.sucuri.net/results/cardanalysis.tk
Verotel International BV - IP abuse -
PORT STATE SERVICE VERSION
80/tcp open http nginx
|_http-title: 429 Too Many Requests Not Found Anymore
polonus (volunteer 3rd party cold recon website security analyst and website error-hunter)
-
Thanks for replying but I have no idea what you're on about as I am not a computer expert in any shape or form, just imagine you're talking to a cat
-
Hi Mustapha15,
Explanation in simple words. You watch something and it is a website that uses the Avazu Private Exchange.
You see on the website the one thing, while the advertisement scheme takes you to ads from somewhere else.
The website owner gets revenue for taking you to ads the user did not ask for to visit and see.
If such a scheme is unfair or hidden and performed by seo-cybercriminals we say it is malicious adware.
Avast flags such behavior by websites - going from main domain to an advertisement sub-domain as unasked for.
You might as a user not want such schemes, it is not done in a fair way. We call that adware.
Of course there are some old grannies that are glad even to receive spam messages,
as ads and spam are the only communication they will ever get from their computers,
but normal users want to block that crap and stay free from it.
Install uBlock Original adblocker will certainly help.
A good adblocker may stop all such problems for you.
It makes your browser also faster if you need not be taken to unwanted advertisements via redirects in the first place.
pol
-
Hi Mustapha15,
It could also be you have some crap on that computer that takes you to such clk.apx destination.
Could you present us with a screenshot of that particular avast message.
Maybe you need some help from a qualified remover to help you through the cleansing routine,
if need be.
polonus (volunteer 3rd party cold recon website security analyst and website error-hunter)
-
How do you add an image, when I click on insert image it just brings up these brackets (IMG)
-
How do you add an image, when I click on insert image it just brings up these brackets (IMG)
See the screenshot from Magna86.
(http://www.mcshield.net/personal/magna86/Images/avast_1.png)
-
No idea how i didn't see that
-
Could this be an FP?
See the analysis here: https://hybrid-analysis.com/sample/a9c2733d6410cd4b9f79fc3d5171b1789b9b60463d762d9281df2f1b20fa9dbc
Consider: https://www.virustotal.com/gui/file/a9c2733d6410cd4b9f79fc3d5171b1789b9b60463d762d9281df2f1b20fa9dbc/detection
This is up to avast team to come up with a final verdict,
polonus
-
See process on your screenshot: it seems to be your VPN program (urbanVPN) that connect to that URL
-
Hi Pondus,
But when that detection appears to be genuine, it can be no more than an adware PUP detection
(potentially unwanted programme).
That is probably also why it is not generally being flagged on VT.
pol