Sucuri should not detect: wXw.av2g.xgphuhxhitxjtdxery.net

[polonus]

See: https://www.virustotal.com/nl/url/d9512726d46bef39f9f3dc8dbbe1327c6ffcf8b9523ccad7d7b2bdd6bb9b96df/analysis/1440067826/
See: http://1col.ru/www.av2g.xgphuhxhitxjtdxery.net
Blocked by Avast Webshield as URL:Mal.
See: https://www.virustotal.com/nl/ip-address/103.240.82.138/information/
Seems malware has been closed after over 81 hours: http://support.clean-mx.de/clean-mx/viruses.php?id=58166908

pol

[polonus]

Could file be harmless? https://www.virustotal.com/nl/file/fdfe0993e6e9e9917554bb95b1137af5870146fd38da5f13bea1b530ac05b296/analysis/1440087407/

Thanks as always to Pondus for the check and evaluation 

polonus

[REDACTED]

Sucuri is not a client side anti-virus. It is supposed to detect infected/compromised legitimate sites. Or do you see this domain somewhere being used in attacks on legitmate sites? If yes, you could email at "labs [at] sucuri.net".

Thanks!

[polonus]

Dear Denis S,

Agreed it is out of your mission.
On the other hand where would volunteer website security analysts like little old me be without Sucuri's. 
Always loved to add to or add  from  your detection and get educated by your analyses.
What Sucuri does is important, and be asured a more secure website landscape cannot exist without your continuous  efforts,
That is why I say every user should have malware host blockinbg in some way enabled.
Keep up the good work.

polonus (volunteer website security analyst and website error hunter).

[REDACTED]

The point of my post is you should realize that Sucuri SiteCheck treats all sites it scans as legitimate sites that might be compromised. So it only looks for patterns that show that there may be something that webmasters didn't mean to have on their sites.

Outright malicious sites (created specifically to distribute malware) are usually different beasts and normal patterns are not applicable to them. SiteCheck can only flag them if it finds malware that can also be found on infected site or the domains are blacklisted by some of our partners.

In this case, the domain name looks pretty random, which means there may be lots of them used by this attack and each of them is only active during a very limited period of time. So just finding and blacklisting such domains is not a good strategy for Sucuri. It would be more beneficial to see if these domains are used in site infections and detect the malicious code they are associated with. So if you have this additional information (at least a live infected site) we'd love to hear from you

[polonus]

Hi Denis S.

The main domain may be a  legit and registered website on a dedicated server in Hong-Kong, see: http://whois.domaintools.com/xgphuhxhitxjtdxery.net
The sub domains may not be and could have been specifically crafted for malicious purposes.
See also Peter Kleissner's data on the main IP: https://virustracker.net/103.240.82.138
When malicious per se Peter always adds "criminal" there, meaning there is active and up malcode, no more no less.
The AS is not malicious per se with only 14 bad & blacklisted URLs: http://sitevet.com/db/asn/AS9919

polonus

P.S. As you see I have changed the topic wordings to better reflect the intention of your reaction 

[REDACTED]

I can see many similar domains and subdomains being used at the moment:

https://urlquery.net/report.php?id=1438638521403
http://urlquery.net/report.php?id=1438668093830

And their URL patters look very malicious.

Moreover some of them (e.g. hxxp://4d2j[.]fsmrpjzrzkiu[.]com/) Google already flags as Phishing

P.S. I used this Google query: [site:urlquery.net xgphuhxhitxjtdxery.net]
https://www.google.com/search?q=site:urlquery.net+xgphuhxhitxjtdxery.net

[REDACTED]

Update: Found one of them on Phishtank. The screenshot proves it's a phishing attack
http://www.phishtank.com/phish_detail.php?phish_id=3348498

[polonus]

Hi Denis S,

Thanks for the heads-up on this phishing campaign.
The readers of this thread now have been forewarned and are forearmed.

polonus