Some web game are wrongly blocked by avast

[REDACTED]

In http://www.4399.com (Unblocked by avast, Trojan must have been removed. I see no more antivirus detect the htm file in virscan.org ), I wanted to click on the next page button but accidentally clicked on a web game, then the entire attempt of connection to the web game file is blocked by avast. I checked more web games and found that there are 3 web game which avast think the {gzip} contain HTML:Iframe-inf, these are

1. hxxp://kbxz-cdnres.wanwan4399.com/OzPlatStartProject.html?v=1140 (game name = 卡布仙踪)
2. hxxp://sjsj-client.wanwan4399.com/www_sjsj/index.html Blocked from hxxp://sjsj.4399.com/ | {gzip} (game name = 神将世界)
3. hxxp://www.4399.com/flash/48399.htm (game name= 卡布西游)

I haven't check all, but it look like only these 3 game are the only few that are blocked. Why are only these few being blocked?

scan result (checked only two):

hxxp://kbxz-cdnres.wanwan4399.com/OzPlatStartProject.html?v=1140 [Blocked]
Zulu: http://zulu.zscaler.com/submission/show/3d17cf18cf62c02c81076cf3f4d67201-1417622993 [Suspicious]
VT: https://www.virustotal.com/zh-tw/url/8ac52e680e1261f1d955949545430884f755c088ea727c854144e3c845168eaf/analysis/1417622968/

hxxp://www.4399.com/flash/48399.htm
Zulu: http://zulu.zscaler.com/submission/show/30e4fae2548c4845a4201f9ac924fdf9-1417623488
VT: https://www.virustotal.com/zh-tw/url/7b1fd4eb5187322be2b3e7153e4a8a8dddd8319c5ede123f815f4a95e3498256/analysis/1417623330/

[polonus]

Risk involved, therefore suspicious: http://zulu.zscaler.com/submission/show/3d17cf18cf62c02c81076cf3f4d67201-1417622993
Web rep detection: https://www.virustotal.com/en/url/1430e032e10bbdad5f4f4e0b5df53a892d69f4564ea6908e782202ef1070b7f6/analysis/

polonus

[REDACTED]

hxxp://www.qq937.com/

Did you search for the game and see this? The html file will be a bit different to this.
It is important to know that there is different between website when it come to web game. I am seeing that the content is different, for example there is game content specific to 4399. I also notice that the server is labeled 4399 in https://www.virustotal.com/zh-tw/url/8ac52e680e1261f1d955949545430884f755c088ea727c854144e3c845168eaf/analysis/1417622968/ , so may be it is specific?

Or if you mean this, https://www.virustotal.com/en/ip-address/220.194.199.176/information/ (on the same IP), they do host game from 4399 when I search the site. But it is not that bad, the avast online security logo isn't in red but in yellow (just say that the reputation is not good). And it also say that McAfee (hxxp://www.mcafee.com/threat-intelligence/domain/default.aspx?domain=www.qq937.com) is having bad reputation on the same search result page too, so I don't think that is reliable.

By the way, this is blocked at the domain "kbxz-cdnres.wanwan4399.com" and "sjsj-client.wanwan4399.com"
This give a URL:Mal alert hxxp://kbxz-cdnres.wanwan4399.com/invite/InviteFriend.html?inviteId=687722795

Whatever website is loaded in the Iframe of hxxp://www.4399.com/flash/48399.htm is also given a domain block by avast.

[REDACTED]

More information about the FP.

hxxp://www.4399.com/flash/48399.htm
I checked the html file and avast alert at the following line

Code: [Select]

<iframe  height="570" frameborder="no" width="970" scrolling="no" align="middle" style="" marginheight="0" marginwidth="0" border="0" src="hxxp://enter.wanwan4399.com/bin-debug/GreenGame.html">
==> blocked by avast: hxxp://enter.wanwan4399.com/bin-debug/GreenGame.html (domain is blocked)
see: https://www.virustotal.com/zh-tw/url/0496140048257e7740bdc217a8220a779a47a35025de19afde5910791d70b6d9/analysis/1417790180/
and: http://www.urlvoid.com/scan/enter.wanwan4399.com/
the 1 alert in urlvoid: http://www.browserdefender.com/site/enter.wanwan4399.com (safe to visit)
zulu: http://zulu.zscaler.com/submission/show/8f19fa4107fd3f118c80322e0f6f7647-1417790308 (not as suspicious as hxxp://kbxz-cdnres.wanwan4399.com/invite/InviteFriend.html?inviteId=687722795)

URL:Mal alert is also given to hxxp://enter.wanwan4399.com/invite/invite.html?inviteId=250597943 which is just some kind of  friend invite script or the event script of the web game.

[polonus]

Did you see these results? Re: https://www.virustotal.com/nl/domain/enter.wanwan4399.com/information/
Malware hosted at that domain is Win32:WrongInf-A [Susp] or Win32:Malware-gen, Gen:Variant.Symmi.29067 adware, Win32:Virtu-A aka Virut  ,
HTML:Iframe-inf while checking on checking 4399 iframe virus.txt.
Avast web rep detects the flash site uri as malicious.
I get this response:
HTTP/1.1 403 Forbidden
Server: nginx
Date: Fri, 05 Dec 2014 15:26:05 GMT
Content-Type: text/html
Content-Length: 162
Connection: keep-alive
Age: 0
Via: http/1.1 4399_cluster (CDN CACHE V1.0)

Also consider these 17CE results: http://www.17ce.com/site/http/201411_3ae3723c0d583728587b917dac60004e.html
for htxp://pic.my4399.com/nbbs/style/bbs.css
Also flagged by avast Web rep: http://zhanl.com/d-www.qq937.com-abd/ -> %E7%A9%BF%E7%9B%BE.rar
IP badness history:
https://www.virustotal.com/nl/ip-address/115.239.225.17/information/  avast detects as Win32:WrongInf-D [Susp]

polonus

[REDACTED]

Did you see these results? Re: https://www.virustotal.com/nl/domain/enter.wanwan4399.com/information/
Malware hosted at that domain is Win32:WrongInf-A [Susp] or Win32:Malware-gen, Gen:Variant.Symmi.29067 adware, Win32:Virtu-A aka Virut  ,
HTML:Iframe-inf while checking on checking 4399 iframe virus.txt.

The first thing is that the "checking 4399 iframe virus.txt" file is created and submited by me in order to check if this specific line of html code is the source of the alert.
The second thing is that the website do not host the malware you mentioned, but the file referenced it. It is the file submited to VT that embed URL pattern strings with this domain , NOT downloaded from it. My "checking 4399 iframe virus.txt" is an example of this. You can see that those files are not actually on the domain.

IP badness history:
https://www.virustotal.com/nl/ip-address/115.239.225.17/information/  avast detects as Win32:WrongInf-D [Susp]

From wxw.qq937.com, I get a "405 Not Allowed" error. Upon searching, I see that there is data that is same as 4399 including the website description.
IP badness history may be valid, but the domain "enter.wanwan4399.com" should only contain the web game files and game program scripts (unless 4399 site owner put the malware in or the game itself is malicious). "wanwan" probably reslove to "玩玩" which mean the same as "play game".
Is it actually a bad idea to have an IP same as another website that is malicious?

[polonus]

Hi rickyyeung,

I agree with you that the suspicious/malicious URI is not on that domain, I had to be more specific and say that there certainly are dubious contents at whatever is hosting "enter.wanwan4399.com". Someone from Taizhou node network should know 
There is a proxy running there as SUPER USER 81/tcp open  hosts2-ns?  This leads somewhere to the internal networks.
Latest virus found from that IP: https://www.virustotal.com/nl/file/4d28ef08091ceaa61ca5772d40aa90ed18048fc139371493acf1a7a9dcfb8e85/analysis/netblock.pedantic.org     link         dynamically-assigned reverse DNS entries 
spam.pedantic.org     
            
uribl.swinog.ch        
ips.backscatterer.org        
b.barracudacentral.org        
ix.dnsbl.manitu.net        
tor.dan.me.uk         -All TOR nodes, entry & exit 
torexit.dan.me.uk             -Exit TOR nodes only. 
virus-msrbl            - Hosts found sending virus mails 
phishing-msrbl         - Hosts found sending phishing mails 
images-msrbls            - Hosts found sending mail contaning spam images 
msrbl            - All the msrbl lists combined 
spamcop             
rbl.efnetrbl.org             -Hosts are added by our bots as users connect with hacked boxes and open proxies. 
virbl              - Lists 's that sent more than 2 virus in the last 24 hours 
dev.null.dk              ? 
dialups.mail-abuse.org     ? 
dul.orca.bc.ca         GONE 
blackholes.five-ten-sg.com        
spamsources.fabel.dk             
sbl.spamhaus.org             Direct UBE sources, verified spam services and ROKSO spammers 
xbl.spamhaus.org       Illegal 3rd party exploits, including proxies, worms and trojan exploits 


polonus