« previous next »
Pages: [1]   Go Down

Author Topic: Known malvertiser not flagged?  (Read 2076 times)

0 Members and 1 Guest are viewing this topic.

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33926
  • malware fighter
Known malvertiser not flagged?
« on: August 30, 2012, 10:16:38 PM »
See: http://zulu.zscaler.com/submission/show/a352d544bd81e7fb43abe2e3bf05fee0-1346356118
See where we found the IDS alerts: http://urlquery.net/report.php?id=151978
Known BBot saved evidence of malcode GIF89a€ÿÿÿ!ù, Q now no longer responding...
Issues
1.
Quote
Flows belonging to different hosts:Date flow start Duration Proto Src IP Addr:Port Dst IP Addr:Port Packets Bytes Flows 2012-04-30 11:58:43.566 0.064 TCP 88.68.128.202:52333 -> 195.177.255.135:80 6 932 12012-04-30 11:58:43.694 0.704 TCP 208.115.111.73:41379 -> 195.177.254.134:80 13 909 12012-04-30 11:58:43.566 0.320 TCP 193.169.4.3:45853 -> 85.199.168.207:80 22 2058 12012-04-30 11:58:43.694 0.000 TCP 62.216.176.91:80 -> 217.7.17.165:54204 5 1328 12012-04-30 11:58:30.126 16.576 TCP 92.226.74.114:49961 -> 62.216.176.7:80 5 236 12012-04-30 11:58:43.566 3.264 TCP 62.216.176.8:80 -> 89.166.146.69:50138 31 39882 1
Quote Data from a Lecture by Sebastian Abt on "Selected Research in Network-based Malwareand Botnet Detection"
2.
I get a WebKnight Application Firewall Alert for a look up on http://hosts-file.net/?s=62.216.176.7
IP does not resolve there...
3.
See: http://www.scanurls.com/report/12588 (nothing out of the ordinairy given there)
4.
Site puts  Salfeld's Child Control into the registry as [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ksupmgr] benign
as far a I am aware, heuristic finds for this, see: http://r.virscan.org/1a2786a5a4c3c4119c683eb220afdbde

That's all for what it's worth,

greets,

polonus
Logged
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37585
  • Not a avast user
Re: Known malvertiser not flagged?
« Reply #1 on: August 30, 2012, 10:41:08 PM »
Quote
4.
Site puts  Salfeld's Child Control into the registry as [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ksupmgr] benign
as far a I am aware, heuristic finds for this, see: http://r.virscan.org/1a2786a5a4c3c4119c683eb220afdbde
the virscan report is from 2010
Logged

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33926
  • malware fighter
Re: Known malvertiser not flagged?
« Reply #2 on: August 30, 2012, 10:53:47 PM »
Hi Pondus,

The virscan may be ancient, the malvertising is not (the IDS alerts from URLquery are very recent).
What I mean to say is that the malvertising through that site seems to go on, while the site seems to have a clean bill of health everywhere.
Well aside from the IDS alerts I cannot find anything up...
This is just what the modern malvertiser likes most, keep a low profile and cash in on malvertising or when found out, comply and open shop elsewhere to continue business as usual. This is the new business scheme, the "loud" malware has already been put aside a long time ago...

polonus
Logged
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!
Pages: [1]   Go Up
« previous next »