Avast WEBforum

Other => General Topics => Topic started by: arconreef on July 01, 2010, 07:46:06 PM

Title: false positives
Post by: arconreef on July 01, 2010, 07:46:06 PM

Avast has reported a virus at downthemall dot net. I completely trust this site, and I have gone to there before without any problems. It is possible that the website was hijacked, but if so I don't really care on this computer, because I don't use it for anything personal. How can I stop AVG from blocking this website?

Title: Re: false positives
Post by: ardvark on July 01, 2010, 08:15:39 PM

Quote from: arconreef on July 01, 2010, 07:46:06 PM

Avast has reported a virus at downthemall dot net. I completely trust this site, and I have gone to there before without any problems. It is possible that the website was hijacked, but if so I don't really care on this computer, because I don't use it for anything personal. How can I stop AVG from blocking this website?

Hi...

An FP or hijacking is possible, although Online Link Scan (http://onlinelinkscan.com/) reports the site as clean. I'm curious, how does AVG figure into this? Do you have a AVG product installed alongside avast?

Regards...

Title: Re: false positives
Post by: arconreef on July 01, 2010, 08:25:56 PM

Sorry, that was just an error on my part, I meant Avast...  :-X

Title: Re: false positives
Post by: Pondus on July 01, 2010, 08:28:27 PM

NoVirusThanks - downthemall.net - 7/16 - INFECTED
http://scanner.novirusthanks.org/analysis/99bf7e26e01f850e178a025171b620ec/aW5kZXg=/

VirusTotal - downthemall.net - 11/41
http://www.virustotal.com/analisis/59ff8d452e248a4a84b7d35f397bac2439532d72ac3ccacee914f23726eebace-1278009099

This page seems to be <suspicious> 1 suspicious inline script found.
http://www.UnmaskParasites.com/security-report/?page=www.downthemall.net

I think someone have been " downthemall " and done some website tuning... :o

Title: Re: false positives
Post by: polonus on July 01, 2010, 08:54:50 PM

Hi arconreef, ardvark and Pondus,

Pondus, you are so right, because the site is suspicious, because of 1 suspicious inline script found,
see atttached gif image..
What has been found on that site is reported here: http://www.google.com/safebrowsing/diagnostic?site=downthemall.net
Reported as suspicious also here:
 http://wepawet.iseclab.org/view.php?hash=b015b380e12e4e866cab972801cec898&t=1278010699&type=js

Apparently the malcode comes from twitter,see: http://pastebin.com/mZ1JGhYF
but it is a Joomla malware script: http://www.google.com/support/forum/p/Webmasters/thread?tid=256902d9865b7cbd&hl=en
Joomla there was maliciously injected, my good anti-malware friends,
There is another suspicious hidden link there: pfgjmeepoxk.com/ld/goldmn  suspicious:
and the last time suspicious content was found on this site by google was on 2010-07-01.

    Malicious software includes 397 scripting exploits, 212 exploits, 26 trojans.

    This site was hosted on 66 networks including AS3269 (TELECOM), AS7132 (SBIS), AS7725 (COMCAST).

Has this site acted as an intermediary resulting in further distribution of malware?
Has this site hosted malware? See: http://amada.abuse.ch/?search=pfgjmeepoxk.com

    Yes, this site has hosted malicious software and it infected 13 domains, including lambdastreaming.com/, elbukanero.com/, trueblood-online.com/.



polonus

Title: Re: false positives
Post by: polonus on July 01, 2010, 09:33:29 PM

Hi malware fighters,

Good news for you, giving in: htxp://pfgjmeepoxk.com/ld/goldmn/
Do not repeat this, it will give an avast flag for S:Prontexi-CG [Trj]
About this ad-poisoning malware the avast bloggers reported here
: http://blog.avast.com/2010/02/18/ads-poisoning-%E2%80%93-jsprontexi/

So I think we thoroughly analyzed this malware site.
Thanks, Pondus, for your malcode scanning contributions,
this really must make a difference for our users,

polonus

Title: Re: false positives
Post by: Pondus on July 01, 2010, 09:41:10 PM

VirusTotal - GOLDMN.py - 4/40
http://www.virustotal.com/analisis/b88346304b576d80b734c005746fd854f018d27dda4946a404368bb31637d0de-1278013014

Title: Re: false positives
Post by: polonus on July 01, 2010, 11:13:38 PM

Hi malware fighters,

About that script there: htxp://webcache.googleusercontent.com/search?q=cache:ianycP-2efQJ:www.astalavista.com/index.php%3Fapp%3Dmailinglists%26do%3Dview%26mid%3D1%26id%3D90401+7FtuQd8!90%3B0!+0%3Bgy~t%3Fg%3Edg%3Edbu~tcKyMK%24M%3Eaeubi%3E|u~wdx%2Brbuq&cd=8&hl=en&ct=clnk
And the new malware wave: http://www.securityfocus.com/archive/1/511164/30/0/threaded

http://pastebin.com/mZ1JGhYF
Something in the obfuscated code translates to:

Code: [Select]

cc='%3c%5c%2fscript%3e';window["e"+""+/ signs of an attack site...

polonus

Hi malware fighters, what I prescribe in forthcoming cases, feed the obfuscated packed code here:
http://www.strictly-software.com/unpack-javascript.aspx
Now click unpack, then feed this into jsunpack with NS active in the browser, just for experts (code may spill or worse), now google initial part of code with google and read explanations of what it does (links from web application tool forums, security sites, etc.) now we will have a good idea what the code is aiming at and what the threat may be about, also if as there is here a malicious iFrame is involved, good hunting, folks,

D

Title: Re: false positives
Post by: ardvark on July 02, 2010, 02:28:30 AM

Quote from: Pondus on July 01, 2010, 08:28:27 PM

NoVirusThanks - downthemall.net - 7/16 - INFECTED
http://scanner.novirusthanks.org/analysis/99bf7e26e01f850e178a025171b620ec/aW5kZXg=/

VirusTotal - downthemall.net - 11/41
http://www.virustotal.com/analisis/59ff8d452e248a4a84b7d35f397bac2439532d72ac3ccacee914f23726eebace-1278009099

This page seems to be <suspicious> 1 suspicious inline script found.
http://www.UnmaskParasites.com/security-report/?page=www.downthemall.net

Hi all...

Looks like I should have tried additional scanners. ::)

Regards...