Good blocking from the avast! Network Shield

[polonus]

See: http://urlquery.net/report.php?id=1737479
avast! Network Shield blocks this url as URL:Mal
Not detected here: http://evuln.com/tools/malware-scanner/http%3A%2F%2Fnacha-updates.org%2Fnews%2F04012013.php/
Given benign: http://zulu.zscaler.com/submission/show/fa74c5c2556cc4adcc4754d51bd15e62-1364848245
Malcode on site blocked as JS:Downloader-CBM[Trj] by avast! Web Shield...

polonus

[polonus]

It is almost unbelievable, but missed here: http://www.urlvoid.com/scan/nacha-updates.org/
and here: http://sitecheck.sucuri.net/results/nacha-updates.org/
but detected here thrice: 0d020f64195e6134f6527c5443badea3f1f5eb54fb2576d7c4e7a08a698bc356
url after redirection -> {"timestamp": "1364848995", "sha256": "31a4aed87c1f85cc45e234c76ecf0ae068cfaa797f3c29acbeb031e68359140c", "analysis_url": "/en/url/31a4aed87c1f85cc45e234c76ecf0ae068cfaa797f3c29acbeb031e68359140c/analysis/1364848995/", "result": 1, "verbose_msg": "Invalid URL"}
see: http://www.mywot.com/en/scorecard/nacha.org?utm_source=addon&utm_content=popup-donuts (Indian bot interference?)

pol

[polonus]

Here follows a good observation from our forum friend Pondus on how shortened urls are brought into play by the malcreants:

if one uses the short url  (-http://nacha-updates.org)  you get this...nada and IP in Korea
http://urlquery.net/report.php?id=1737949
http://sitecheck.sucuri.net/results/nacha-updates.org

using the full url  (-http://nacha-updates.org/news/04012013.php)  then IP is changed to South Africa
http://urlquery.net/report.php?id=1737957
http://sitecheck.sucuri.net/results/nacha-updates.org/news/04012013.php   and sucuri now sees a redirect

Pondus, thanks for these observations. Website analysts should be aware of these"uri-games"...

polonus