Author Topic: Does this site still have malicious content? (Read 6484 times)

polonus · « **on:** June 26, 2012, 12:58:01 PM »

See: http://zulu.zscaler.com/submission/show/91ae75b5f65747e738a97ae98e1a2d87-1340707431
IDS flags here: http://urlquery.net/report.php?id=75874
Malvertising site and ET CURRENT_EVENTS Blackhole Landing Try Prototype Catch Jun 18 2012
Diagnostics: -http://www.mbi-connexion.com/securite/diagnostic/h--hm-asia.com

[embed] hm-asia dot com/pic.swf
info: [decodingLevel=0] found JavaScript
suspicious:

polonus

AdrianH · « **Reply #1 on:** June 26, 2012, 01:17:54 PM »

https://www.virustotal.com/url/a21c1c02cf58cef13192669eb33d4053e34c3097b089fd00b9595934063199d3/analysis/1340709188/ doesn't show anything.

Asyn · « **Reply #2 on:** June 26, 2012, 01:23:29 PM »

http://sitecheck.sucuri.net/results/hm-asia.com

Malware found on javascript file:
hxxp://hm-asia.com/flash.js

http://sucuri.net/malware/malware-entry-mwjs160

!Donovan · « **Reply #3 on:** June 26, 2012, 06:48:03 PM »

hm-asia.com/flash.js (malicious obfuscated content | part of blackhole exploit)
info: [embed] hm-asia.com/pic.swf
info: DecodedGenericCLSID detected D27CDB6E-AE6D-11cf-96B8-444553540000
info: [var s] URL=hm-asia.com/function
https://www.virustotal.com/file/3e51239e75656d1e6eb3f333b4523bc786b260b7b762ce82380985903123ca69/analysis/1340728184/

(var s) hm-asia.com/function (404)
status: (referer=hm-asia.com/flash.js) <-- Gets called from flash.js
Return Status: 404

[SWF] (embed) hm-asia.com/pic.swf (clean)
status: (referer=hm-asia.com/flash.js) <-- Gets called from flash.js
https://www.virustotal.com/file/c803c78fa12201a01745a08279cc0cd32ec69772d40105816f58f96baeab5a7d/analysis/1340728084/

Yes.

polonus · « **Reply #4 on:** June 26, 2012, 09:57:30 PM »

As avast does not detect, this should be reported to virus AT avast dot com.
I have done so accordingly,

polonus

!Donovan · « **Reply #5 on:** June 29, 2012, 01:51:02 AM »

Same algorithm mentioned here (link found by Polonus):
http://www.symantec.com/connect/blogs/blackhole-exploit-kit-gets-upgrade-pseudo-random-domains

"By changing the date passed to the function we can determine domains that will be used in future."

!Donovan · « **Reply #6 on:** June 29, 2012, 06:16:59 PM »

14/41 Now Detect.

Avast! detects as JS:Blacole-V [Trj], so we are being protected.

Asyn · « **Reply #7 on:** June 29, 2012, 06:20:05 PM »

Quote from: !Donovan on June 29, 2012, 06:16:59 PM

14/41 Now Detect.

Avast! detects as JS:Blacole-V [Trj], so we are being protected.

Great. Thanks for the info.

Coolmario88 · « **Reply #8 on:** June 29, 2012, 06:46:35 PM »

I tried copying the link so i can paste it in Bounceapp to get a screenshot of the site.. but mistakenly clicked open link in firefox.. :/ I closed the tab very quick and cleared all cookies.. avast did block Flash.js on that site.. I scanned with malwarebytes' and didn't find anything and i am scanning with SAS.. Hopefully my computer didn't get infected.. I pray not..

!Donovan · « **Reply #9 on:** June 29, 2012, 06:50:30 PM »

If avast! blocked flash.js then you should have nothing to worry about.

Coolmario88 · « **Reply #10 on:** June 29, 2012, 06:58:42 PM »

Quote from: !Donovan on June 29, 2012, 06:50:30 PM

If avast! blocked flash.js then you should have nothing to worry about.

Thank Goodness

Asyn · « **Reply #11 on:** June 29, 2012, 08:26:11 PM »

Quote from: Coolmario88 on June 29, 2012, 06:46:35 PM

I tried copying the link so i can paste it in Bounceapp to get a screenshot of the site.. but mistakenly clicked open link in firefox.. :/

You shouldn't "play" with such stuff, very bad things can happen...!!!

Coolmario88 · « **Reply #12 on:** June 29, 2012, 08:47:42 PM »

Quote from: Asyn on June 29, 2012, 08:26:11 PM

Quote from: Coolmario88 on June 29, 2012, 06:46:35 PM
I tried copying the link so i can paste it in Bounceapp to get a screenshot of the site.. but mistakenly clicked open link in firefox.. :/

You shouldn't "play" with such stuff, very bad things can happen...!!!

ok

polonus · « **Reply #13 on:** June 29, 2012, 09:25:05 PM »

Well Coolmario88,

Well actualy that "do not play with" should be "do not click". You may feed a link to online scanners, could analyze that link online, but you should not visit that link by clicking it and going there to that malware laden site (or in lab settings on a VM and with script blocking active). But better not because malcode can escape sandboxes and I for one would not like to experiment clicking a live file infector link. So always remember "curiosity killed the proverbial animal",

polonus

Author Topic: Does this site still have malicious content? (Read 6484 times)

polonus

Does this site still have malicious content?

AdrianH

Re: Does this site still have malicious content?

Asyn

Re: Does this site still have malicious content?

!Donovan

Re: Does this site still have malicious content?

polonus

Re: Does this site still have malicious content?

!Donovan

Re: Does this site still have malicious content?

!Donovan

Re: Does this site still have malicious content?

Asyn

Re: Does this site still have malicious content?

Coolmario88

Re: Does this site still have malicious content?

!Donovan

Re: Does this site still have malicious content?

Coolmario88

Re: Does this site still have malicious content?

Asyn

Re: Does this site still have malicious content?

Coolmario88

Re: Does this site still have malicious content?

polonus

Re: Does this site still have malicious content?