Avast WEBforum

Other => Viruses and worms => Topic started by: polonus on January 11, 2012, 06:58:26 PM

Title: HTML/Infected.WebPage.Gen2 not detected on site...
Post by: polonus on January 11, 2012, 06:58:26 PM

See: http://vscan.urlvoid.com/analysis/377105b0cec44ab66a56e9509ceb9518/MDI4LWh0bWw=/
See: http://www.virustotal.com/file-scan/report.html?id=9ffee7e7fe85b4c77e377494d68528561d9b6031490bee735980fa925a667c3c-1326237506
Avast should detect:  HTML:Iframe-inf
See: http://urlquery.net/queued.php?id=15701
-ajax.googleapis.com/ajax/libs/jqueryui/1.7.2/jquery-ui.min.js suspicious
[suspicious:2] (ipaddr:72.14.204.95) (script) -ajax.googleapis.com/ajax/libs/jqueryui/1.7.2/jquery-ui.min.js
     status: (referer=mck.skoczow.pl/)saved 186181 bytes f978dcb9ea6ecfbc7f8a2f9948bacd679c0cd1b4
     info: [iframe] -ajax.googleapis.com/ajax/libs/jqueryui/1.7.2/javascript:false;
     info: [decodingLevel=0] found JavaScript
     error: undefined variable jQuery
     error: undefined variable c.fn
     error: line:1: SyntaxError: missing ; before statement:
          error: line:1: var c.fn = 1;
          error: line:1: ....^
     suspicious:
redirect doorway to: -http://toksikoza.net/in.cgi?5
malware list collected over cz zone: Status 404  e.g. donut-virus site

polonus

Title: Re: HTML/Infected.WebPage.Gen2 not detected on site...
Post by: razoreqx on January 11, 2012, 07:53:00 PM

Nice find!  

http://support.clean-mx.de/clean-mx/viruses.php?domain=mck.skoczow.pl&response= (http://support.clean-mx.de/clean-mx/viruses.php?domain=mck.skoczow.pl&response=)

Title: Re: HTML/Infected.WebPage.Gen2 not detected on site...
Post by: polonus on January 11, 2012, 11:44:09 PM

Hi razoreqx,

If giving a link there, I would like to see it broken, because there is live malware out there in this case up and infectious. The innocent and not so security savvy visitors could easily get themselves infected by not using the precautions we do and click a wrong link. That is why I present these finds rather via VT or other scan results, and give parts of suspicious code in jsunpack without giving direct page links. Even taking these direct precautions when doing cold reconnaisance needs browser protection of some sort, that is ample script blocking (noscript or NotScripts and running the browser in a sandbox or VM). Users do not know that skimming through malware source code even via a proxy in the browser can get them infected without their av solution detecting (always scan your browser files in the aftermath), so give suspicious links always like -wwww etc. Live malware code always to be presented as an image to avoid unnessary alerts and other risks. To view code use jsunpack with ample script protection or the malzilla browser sandboxed. So the analyst also should introduce SafeHex! And remember the malcreant is also an avast forum visitor....

polonus