Author Topic: Here avast (GData) detects and others do not... (Read 2755 times)

polonus · « **on:** September 12, 2011, 11:26:23 PM »

Hi forum friends,

Suspicious site: http://urlquery.net/report.php?id=2836
VT url scan: http://www.virustotal.com/url-scan/report.html?id=ef297a14d3233c634c0cad10641b58b8-1315854238
abd then VT scan of conflq.php: http://www.virustotal.com/file-scan/report.html?id=aff6ac6db755d7559f6743b4f07c2fc4b9d7d74c2874e542bb2b70c0c18ab1df-1315861915
Detected as JS:Redirector-JU [Trj]
Suspicious page with 63 scripting exploits, see: http://www.google.com/safebrowsing/diagnostic?site=http%3A//www.imaginup.eu/conflq.php
network http://sitevet.com/db/asn/AS8928 with 28 blacklisted URLs,

polonus

Pondus · « **Reply #1 on:** September 12, 2011, 11:41:42 PM »

Wepawet - imaginup.eu/conflq.php
http://wepawet.iseclab.org/view.php?hash=ef297a14d3233c634c0cad10641b58b8&t=1315863566&type=js

what about this ?

Quote

*****REMOVED bc risk of detection in forum*****

Sucuri say infected - Malware found in the URL: imaginup.eu//bodegasadria/

wepawet - imaginup.eu//bodegasadria/
http://wepawet.iseclab.org/view.php?hash=2a22bd62c482f46a0214bbcb8e80c5a9&t=1315863860&type=js

polonus · « **Reply #2 on:** September 12, 2011, 11:56:35 PM »

Hi Pondus,

Of course we did not count in those specific site scanners here.
You gave us all a good analysis of what is out there.
But I wanted to point out at the VT results and there avast and GData had detection.

Comodo's site inspector also flags the page, but only mentions the blacklisting and not the specific iFrame malcode details like you gave us. SOS web scan also flags the page: Main URL: -http://www.imaginup.eu/conflq.php is suspicious. WOT flags the site, see a.o.:
http://www.urlvoid.com/scan/imaginup.eu

polonus

Pondus · « **Reply #3 on:** September 13, 2011, 12:04:24 AM »

Quote

But I wanted to point out at the VT results and there avast and GData had detection.

as usuall it seems that the only one that can see and tell us what avast! is detecting is Sucuri..... so avast! first again

Sucuri malware info here http://sucuri.net/malware/malware-entry-mwjs612 click the red link at bottom there for full sample info

The full sample give this detection
http://www.virustotal.com/file-scan/report.html?id=34ed99e9f17b90f50db8254a0e7c3b282ddf8a640a919edb4a121cf4485951e6-1315865115

polonus · « **Reply #4 on:** September 13, 2011, 12:28:29 AM »

Hi Pondus,

Well that means quite a sudden increase in detection rate. So it is a fact that we only can establish what is wrong with a site when we look directly at the specific source. Indirectly via Sucuri or directly via a VM like the malzilla browser (Do not do this unless you know how to handle and be protected inside a VM malcode browser). Another way is to analyse via http://urlquery.net/ or view the source code browsing a free secure web proxy like http://www.idoproxy.com/
In the case of iFrame malware a wepawet scan can reveal a lot, and if we have a MD5 hash of the malcode in question, like here 92de4d225d8c333821176a9e05e95650 we could give that in in google to search on further detections. Well apparently Pondus VT scan has not landed in their cache then. It was rather fresh,

polonus

Author Topic: Here avast (GData) detects and others do not... (Read 2755 times)

polonus

Here avast (GData) detects and others do not...

Pondus

Re: Here avast (GData) detects and others do not...

polonus

Re: Here avast (GData) detects and others do not...

Pondus

Re: Here avast (GData) detects and others do not...

polonus

Re: Here avast (GData) detects and others do not...