Avast community forum
Home
Help
Search
Login
Register
Avast WEBforum
»
Other
»
Viruses and worms
(Moderators:
Maxx_original
,
misak
) »
Is Fetch a good way to analyze iFrame redirects?
« previous
next »
Print
Pages: [
1
]
Go Down
Author
Topic: Is Fetch a good way to analyze iFrame redirects? (Read 1559 times)
0 Members and 1 Guest are viewing this topic.
polonus
Avast Überevangelist
Probably Bot
Posts: 34065
malware fighter
Is Fetch a good way to analyze iFrame redirects?
«
on:
February 12, 2014, 01:22:56 AM »
See: htxp://fetch.scritch.org/%2Bfetch/?url=http%3A%2F%2Ffenkaololo.com%2Fmmmsss%2Fxpxlkzbuaodwitdwy.php&useragent=Fetch+useragent&accept_encoding=
(link broken for the non-security-savvy - do not venture out there!)
Malcode link description:
http://labs.sucuri.net/db/malware/malware-entry-mwiframehd202
https://www.virustotal.com/nl/url/ed8aa33e93d4a6c97348453a5450028d196718f68b7a6fbce3b7781be9cfde4c/analysis/1392163367/
DrWeb url checker does not find anything and gives an all green.
Code see:
http://jsunpack.jeek.org/?report=8e9dc1bb12e1f5d998bdaaa96f279caa5e796826
Visit above links in a browser protected with extensions like NoScript or ScriptSafe and inside a VM or sandbox.
We saw they were using: PHP/5.3.3-7+squeeze18
Character encoding Reported encoding (content-type): UTF-8, content decodes successfully
No meta content-type/encoding
Guessed encoding: ascii 1.0, content decodes successfully
Redirects to (location header) ->
http://guess.scritch.org/%2Bguess/?url=htxp%3A%2F%2Fww2.fenkaololo.com%2Fmmmsss%2Fxpxlkzbuaodwitdwy.php
(link broken for the non-security savvy)
server: Apache2 - Oversee Turing v1.0.0 (VT data)
polonus
Logged
Cybersecurity is more of an attitude than anything else. Avast Evangelists.
Use NoScript, a limited user account and a virtual machine and be safe(r)!
polonus
Avast Überevangelist
Probably Bot
Posts: 34065
malware fighter
Re: Is Fetch a good way to analyze iFrame redirects?
«
Reply #1 on:
February 12, 2014, 01:54:09 AM »
Using a more convential way does not deliver:
http://urlquery.net/report.php?id=9399534
But zuluZscaler delivers the results we want:
http://zulu.zscaler.com/submission/show/54a9e4ed526a4c85d2f37a59ecab3b0f-1392165342
Read about type of malcode:
http://www.feedurbrain.com/forum/showthread.php?31778-Friendly-Warning-About-Malware-on-this-site-effecting-others
poster = Magnes
domain is parked -> htxp://www.dsparking.com/w3c/p3p.xml
An unconventional scan to further help us:
http://webcookies.info/cookies/ww2.fenkaololo.com/1126563/
Server configuration is questionable see info at HTTP security related headers
http://blogs.msdn.com/b/ie/archive/2009/01/27/ie8-security-part-vii-clickjacking-defenses.aspx
http://www.w3.org/TR/CSP/
http://blogs.msdn.com/b/ie/archive/2008/07/02/ie8-security-part-iv-the-xss-filter.aspx
http://msdn.microsoft.com/en-us/library/ie/gg622941(v=vs.85).aspx
General website insecurities:
excessive header info, clickjacking vulnerability.
Also see this scan:
http://www.domxssscanner.com/scan?url=http%3A%2F%2Fww2.fenkaololo.com%2Fmmmsss%2Fxpxlkzbuaodwitdwy.php
and the hit-> <frameset rows="100%,*" frameborder="no" border="0" framespacing="0">
<frame src="htxp://ww2.fenkaololo.com? etc. etc.
polonus
Logged
Cybersecurity is more of an attitude than anything else. Avast Evangelists.
Use NoScript, a limited user account and a virtual machine and be safe(r)!
Print
Pages: [
1
]
Go Up
« previous
next »
Avast WEBforum
»
Other
»
Viruses and worms
(Moderators:
Maxx_original
,
misak
) »
Is Fetch a good way to analyze iFrame redirects?
