Author Topic: Probably false negative? (Read 2816 times)

REDACTED · « **on:** October 13, 2014, 05:30:02 PM »

A weird website hxxp://www.43999.cn/

google search description claim that it is also named 4399小游戏 (which is hxxp://www.4399.com/)

Quote

43999小游戏网又名4399小游戏

Fake similar website?

All doesn't detected
https://www.virustotal.com/zh-tw/file/ccda3a95a28464ccbf83dccae7e18881f5270e0e7e0be2934a8934f542bdd118/analysis/1413213662/

But I don't get a clean result in sucuri site check
http://sitecheck.sucuri.net/results/www.43999.cn
Blacklisted by McAfee and Site Likely Compromised

False negative?

polonus · « **Reply #1 on:** October 13, 2014, 07:08:57 PM »

Analyze here: http://linkeddata.informatik.hu-berlin.de/uridbg/index.php?url=www.43999.cn%2F&useragentheader=&acceptheader=
Hosting site = https://www.virustotal.com/nl/url/9ffca02a6442d46e8eebab04098a85d511e587a9b3bd138062154a718ab9c629/analysis/1413219659/
Opening up 4399小游戏 from baidu I get this from the avastWeb Shield: JS:ScriptIP-inf[Trj]
read about the virus here: http://blog.yoocare.com/how-to-remove-jsscriptip-inf-trj/
It definitely is on: htxp://www.baidu.com/link?url=jBDRhSVdBmlrooiiRDwAdp-EC8_aCmjucdEYFCkct-O

polonus

polonus · « **Reply #2 on:** October 13, 2014, 07:18:05 PM »

DrWeb's URL Checker does not detect: htxp://www.baidu.com/link?url=jBDRhSVdBmlrooiiRDwAdp-EC8_aCmjucdEYFCkct-O redirects to htxp://www.4399.com/

Checking: htxp://www.4399.com//resource8/ucenter_www_new.js
File size: 35.21 KB
File MD5: 1206ee5a7dee93f3b7d1a6a99e9721f7

htxp://www.4399.com//resource8/ucenter_www_new.js - archive JS-HTML
htxp://www.4399.com//resource8/ucenter_www_new.js - Ok

Checking: htxp://www.4399.com//jss/skiner5.js
File size: 3674 bytes
File MD5: 14123ad43b48d32ad3542999e6a11b61

htxp://www.4399.com//jss/skiner5.js - archive JS-HTML
>htxp://www.4399.com//jss/skiner5.js/JSFile_1[0][e5a] - Ok
htxp://www.4399.com//jss/skiner5.js - Ok

Checking: htxp://www.4399.com//jss/index20140722.js
File size: 36.65 KB
File MD5: 648563e478c1424e0740914e9e856477

htxp://www.4399.com//jss/index20140722.js - Ok

Checking: htxp://www.4399.com//jss/sosmart.js
File size: 8625 bytes
File MD5: 53424f89c35b58294b6ca04fcbaf2589

htxp://www.4399.com//jss/sosmart.js - archive JS-HTML
>htxp://www.4399.com//jss/sosmart.js/JSFile_1[0][21b1] - Ok
htxp://www.4399.com//jss/sosmart.js - Ok

Checking: htxp://www.4399.com//jss/4399.js
File size: 2419 bytes
File MD5: dfdf28f4df4f1233db8e9a411f9d8b5b

htxp://www.4399.com//jss/4399.js - archive JS-HTML
>htxp://www.4399.com//jss/4399.js/JSFile_1[0][973] - Ok
htxp://www.4399.com//jss/4399.js - Ok

Checking: htxp://w.cnzz.com/c.php?id=30039538
File size: 9324 bytes
File MD5: 2692b326de6666a34f02cc28a5a64487

htxp://w.cnzz.com/c.php?id=30039538 - archive JS-HTML
->ubd.cookie; and+document.referrer XSS exploitable in code
for htxp://www.statcounter.com/counter/counter.js & htxp://www.google-analytics.com/urchin.js
on that site.
>htxp://w.cnzz.com/c.php?id=30039538/JSFile_1[0][246c] - Ok
htxp://w.cnzz.com/c.php?id=30039538 - Ok

Checking: htxp://www.4399.com//jss/jquery-1.6.1.min.js
File size: 89.20 KB
File MD5: a34f78c3aecd182144818eb4b7303fda

htxp://www.4399.com//jss/jquery-1.6.1.min.js - archive JS-HTML
>htxp://www.4399.com//jss/jquery-1.6.1.min.js/JSTag_1[11531][4f9d] - Ok
htxp://www.4399.com//jss/jquery-1.6.1.min.js - Ok

Checking: htxp://www.4399.com/
Engine version: 7.0.10.8210
Total virus-finding records: 5481131
File size: 181.07 KB
File MD5: 7ae552243393a153b76e3dcf30d908a7

htxp://www.4399.com/ - archive JS-HTML
>htxp://www.4399.com//JSTAG_1[385][28e] - Ok
>htxp://www.4399.com//JSTAG_2[716][c09] - Ok
>htxp://www.4399.com//JSTAG_3[2b241][1b26] - Ok
>htxp://www.4399.com//JSTAG_4[2d36b][5d] - Ok
htxp://www.4399.com/ - Ok

The suspicious JavaScript check returns: Suspicious

tch(ex){}</script> <script src='htxp://w.cnzz.com/c.php?id=30039538' language='javascript' charset='gb2312'></script> </body> </html>

External links to be checked:
-http://www.4399.cn/app-qd-4399com.html --> '牿机轱礞4399'
-http://www.hao123.com/ --> ''
-http://www.4399dmw.com/manhua/ --> '恂画'
-http://www.4399dmw.com/donghua/ --> '动画娆'
-http://www.4399.cn/ --> '牿机箢锓'
-http://www.4399.cn/ --> '牿机'
-http://a.4399.cn/game-tid-107.html --> '铪稔金彬版牿箢'
-http://a.4399.cn/ --> '安卓牿机箢锓大璜'
-http://i.4399.cn/ --> '婊果牿机箢锓大璜'
-http://www.4399.cn/app-android.html --> '镡豇4399牿机箢锓吼'
-http://www.4399er.com/ --> '儿歌'
-http://www.4399api.com/event/contest2014 --> '4399碟3届flash箢锓开发��'
-http://www.4399er.com/ --> '4399儿歌龟赈大璜 '
-http://www.4399.cn/ --> '牿机箢锓'

polonus

polonus · « **Reply #3 on:** October 13, 2014, 10:52:54 PM »

This domain is also flagged by avast as URL:Mal -> 4399dmw.com
avast! browser Web rep flags all sub-domains as malicious.
See: http://host.analyzer.cc/ip/115.182.52.47
See Netcraft site report: http://toolbar.netcraft.com/site_report?url=http://115.182.52.47
Normal warnings, no specific errors: https://asafaweb.com/Scan?Url=115.182.52.47
-> href="javascript:history.back(1) could be abused on IOP website configuration!

polonus

Author Topic: Probably false negative? (Read 2816 times)

REDACTED

Probably false negative?

polonus

Re: Probably false negative?

polonus

Re: Probably false negative?

polonus

Re: Probably false negative?