Avast WEBforum

Other => Viruses and worms => Topic started by: gbe90 on May 28, 2012, 04:51:36 PM

Title: malware site?
Post by: gbe90 on May 28, 2012, 04:51:36 PM: malware site??
[/size]
[/size]hxxp://socialcam.com/v/gorCwlFH (http://forum.avast.com/hxxp://socialcam.com/v/gorCwlFH)[/b]
[/size]
[/size]virustotal https://www.virustotal.com/url/538a11904bf864a1bb4dfdbd1b65f0634cf9177a08b930c20fe4cbe0bb5f79ec/analysis/1338216328/ (https://www.virustotal.com/url/538a11904bf864a1bb4dfdbd1b65f0634cf9177a08b930c20fe4cbe0bb5f79ec/analysis/1338216328/)
[/size]
[/size]anubis http://anubis.iseclab.org/?action=result&task_id=1efb93996337ef0e48de0254d6b5bf7ff&format=html (http://anubis.iseclab.org/?action=result&task_id=1efb93996337ef0e48de0254d6b5bf7ff&format=html)
[/size]
[/size]http://zulu.zscaler.com/submission/show/c3283837564cd709c8a5359021c7ff6f-1338216430 (http://zulu.zscaler.com/submission/show/c3283837564cd709c8a5359021c7ff6f-1338216430)
[/size]
[/size]eset detected cahe poised, thanks,
Title: Re: malware site?
Post by: polonus on May 28, 2012, 05:39:48 PM: Malicious Obfuscated content found for that URL
Obfuscation could be de-obfuscated as: "document.write('<a href=\"mailto:webcontactATsocialcam dot com\">Email Us<\/a>');"

polonus
Title: Re: malware site?
Post by: !Donovan on May 28, 2012, 05:49:17 PM: So any kind of obfuscated content will alert Zulu's Scanner?
Quote: "Malicious Obfuscated content found"

Also, if the webmaster wanted to prevent his email from being harvested, he could've used @ which decodes to @
Resource: http://www.asciitable.com/index/asciifull.gif
Title: Re: malware site?
Post by: polonus on May 28, 2012, 05:52:12 PM: Hi !Donovan,

For me it is just also a foolproof anti-spam measure, but it can also be used reversely,
eset detected cache poised for that site...
Conditional compilation used here to sniff: /*@cc_on!@*/ false
The alternative would naturally be: var isMSIE = /*@cc_on!@*/!1;

polonus
Title: Re: malware site?
Post by: Pondus on May 28, 2012, 06:25:58 PM: VirusTotal
https://www.virustotal.com/file/0399184a71e1a03b130cf79012d13e7db8d9d38f21b5fa3619ac5ad469ece8a5/analysis/1338222246/

This page seems to be <suspicious> 1 suspicious inline script found.
http://www.UnmaskParasites.com/security-report/?page=socialcam.com/v/gorCwlFH

wepawet
http://wepawet.iseclab.org/view.php?hash=805de6ee72be18c415e481e66b7d81b1&t=1338222377&type=js
Title: Re: malware site?
Post by: polonus on May 28, 2012, 06:30:58 PM: Hi Pondus & !Donovan,

That means that the Zcaler flag is because of the inline script flagged by Google Safebrowsing, but I think that was just obfuscation taken as a potential XSS problem, see: htxp://apidock.com/rails/ActionView/Helpers/UrlHelper/mail_to#355-Javascript-encoding-DOES-work- (poster Bounga on Flowdock blog gives the same encoded script). So I would say, verdict: false positive,

polonus