Avast WEBforum

Other => Viruses and worms => Topic started by: polonus on December 02, 2011, 03:21:30 PM

Title: Site has Mal_Hifrm - does avast detect?
Post by: polonus on December 02, 2011, 03:21:30 PM

Hi forum friends,

See: http://www.virustotal.com/url-scan/report.html?id=84682f626881a46754421a2ab5eadcbc-1322830522
See: http://www.virustotal.com/file-scan/report.html?id=d521721cdf6dfcf6c5af0bf883546f20c4a6b2fffa43bff9611a98a12482b144-1322834317
Also see: http://urlquery.net/report.php?id=10246
Is this malware or a PUA FP?
Suspicious is: -raoban123.com/modules/superfishmenu/tmpl/js/jquery.js suspicious
[suspicious:2] (ipaddr:123.30.181.45) (script)  -raoban123.com/modules/superfishmenu/tmpl/js/jquery.js
     status: (referer=-raoban123.com/)saved 55774 bytes 1be9c3684054001f53fa7ff6d85ec3cb573a9cd2
     info: ActiveXDataObjectsMDAC detected Microsoft.XMLHTTP
     info: [decodingLevel=0] found JavaScript
     suspicious: maxruntime exceeded 10 seconds (incomplete) 0 bytes
This from there seems now to lead nowhere: -vnpokers.net/ benign
[nothing detected] (iframe) -vnpokers.net/
     status: (referer=-raoban123.com/)failure: <urlopen error [Errno -3] Temporary failure in name resolution> This might have been flagged as heuristic find of HTML-Iframe earlier,
but domain does not exist or is inaccessible (-vnpokers dot net),

polonus

Title: Re: Site has Mal_Hifrm - does avast detect?
Post by: Pondus on December 02, 2011, 04:12:19 PM

Sucuri say infected  http://sucuri.net/malware/malware-entry-mwiframehd202


Wepawet
http://wepawet.iseclab.org/view.php?hash=84682f626881a46754421a2ab5eadcbc&t=1322838875&type=js

Title: Re: Site has Mal_Hifrm - does avast detect?
Post by: polonus on December 02, 2011, 04:23:14 PM

Hi Pondus,

I agree with you, but the redirect is dead now. Try and check if -vnpokers.net is up,
so I agree with you and sucuri's that the site is still vulnerable for that malware attack but it is not actually infecting. Can tou confirm that? Sucuri should cleanse out their daily dirt and this seems to be part of it, a malware redirect that is dead and no longer up, is water under the bridge,

polonus

Title: Re: Site has Mal_Hifrm - does avast detect?
Post by: DavidR on December 02, 2011, 04:56:00 PM

The fact that the remote source isn't active is no guarantee that it won't become active. The simple insertion of the iframe is the infection/exploit not the payload at the remote source.

That is why in the past all I do is confirm that the hack/exploit is in place (so the alert on that site by avast is correct and has to be addressed by them) and don't care what payload is present (or not) at the remote location.

If the vnpokers domain is in the network shield malicious sites list that too should alert over and above the possibility the web shield alerts on the inserted iframe. The actual payload isn't analysed, I think there is something about this for avast7 that this remote payload would be checked.

How this will be done is the thing, possibly via cloud to pass link to remote source for analysis as this is likely to improve detection on the remote content, should it ever arrive on your system. Since much of this is likely to be driveby/rogue security stuff that is ever changing, this should improve detections in this category of malware.

Title: Re: Site has Mal_Hifrm - does avast detect?
Post by: polonus on December 02, 2011, 07:51:57 PM

Hi DavidR,

Agree that a site that has been compromised in this way is suspicious and could become malicious again through re-infection or through the same or other malcreants. So the first priority is to flag it and the Mal_Hifrm should be removed and the software exploit through which the malware could be installed should be patched.
So you agree that a site being flagged for a redirect to malware that has been taken down should still be flagged or blacklisted until the suspicious code has been completely been removed?

polonus

Title: Re: Site has Mal_Hifrm - does avast detect?
Post by: DavidR on December 02, 2011, 08:14:33 PM

Yes, until that iframe (and or any other insertions) is removed and the exploit cleared it is still compromised and at risk of infecting unsuspecting users.

Title: Re: Site has Mal_Hifrm - does avast detect?
Post by: polonus on December 04, 2011, 12:24:09 AM

Hi forum friends,

See: http://www.virustotal.com/file-scan/report.html?id=fbcf8ae1bc0da7c62f89ecb2091fcb9096c910ca41cb664ab269781ebdd8cdaf-1322953963

Another case of Mal_Hfirm and consequent defacement of -http://www.cheviva.com/index.php
Sucuri gives: =http://www.cheviva.com/index.php
status:   Site infected with malware
web trust:     Not Blacklisted

Malware found in the URL:
-http://www.cheviva.com/index.php

Web site defaced.
Details: http://sucuri.net/malware/entry/MW:DEFACED:01

^html^h1^Hacked by linuXploit_crew ..code removed (pol) ^/iframe 0 0 0
Malware found in the URL:
-http://www.cheviva.com/index.php/404testpage4525d2fdc

polonus