Possible FP on web site scan

[spg SCOTT]

Seems that leads to a 404 page, which appears to have been hacked. (You can tell it is the 404 page, since any link that doesn't exist will generate an alert - because it leads to a 404 not found page.

[Pondus]

Wepawet - suspicious
http://wepawet.iseclab.org/view.php?hash=2d0d3de718eff4c06374459548fec60d&t=1329847720&type=js
http://wepawet.iseclab.org/view.php?hash=e7e5814790f8a13432b39a36c659013d&t=1329847597&type=js

VirusTotal - 4/17
https://www.virustotal.com/url/accc23c1d7b4b82d8cd7c2c3a426d9306943af5ab8a497ae2899934dea1a5ab0/analysis/1329847812/


anyway....that link is dead now   

[AU4U]

OK, so the Flipmytext redirects to a dead link.
Its the redirect that avast! is detecting and blocking, even though there's no trojan at the  other end.

So in your HO, is the site safe to use?

EDIT:
Could this be just sloppy web site maintenance, a link to another service on there site that was not completely removed?
The new owners might have changed site developers and they could of changed and over looked something like this, being unfamiliar with the history and development of there service.
One of the changes I have noticed is all the FB/Twitter/LinkIn/Bebo/etc links and icons.
Lots of good fun stuff on the site though!

[spg SCOTT]

Their 404 (not found) error page (and possibly others) is infected. Any dead link you click will lead to this page.


I wouldn't say it was safe. There is nothing to say that in the near future the redirect is changed to a site that is active or the site already there becomes active.

[Pondus]

Sophos lab

Thank you for your sample submission and contacting Sophos Technical Support.

File states:
============

tattoos.htm => not detect-worthy
flipmytext.com.htm => not detect-worthy


There is nothing on either submitted files that show the malware.

The site may have already been cleaned up.

From the sucuri sitecheck - the string found is consistent with Mal/ExpJS-N which we do detect.

[!Donovan]

Sophos lab
[stuff]

In other words, the malware is valid and it is still present.

You have a risk of running into this javascript malware anytime you find a unknown url on their site domain.

[Pondus]

Avira lab

The file 'tattoos.htm' has been determined to be 'CLEAN'. Our analysts did not discover any malicious content.

The file 'flipmytext.com.htm' has been determined to be 'CLEAN'. Our analysts did not discover any malicious content.

[AU4U]

Ariva and Sophos detect nothing.
VT, URLVoid, Wepawet detect nothing.

So only avast! and Securi are detecting this?

Oh yes, AND, my MBAM Pro detected nothing, maybe avast! blocked it before MBAM could detect it.

[polonus]

What is with spacer.gif? Another name for the use of a transparent GIF is "spacer GIF".
The trick used here is to make a transparent GIF image that is 1 pixel by 1 pixel, and then lie to the browser about its width!
The browser does not care, but avast flags this as a spyware alert., others alert as HTML/Infected.WebPage.Gen.
Some were also found later to be FPs.

polonus

[AU4U]

New web site owner.
Probably a new (cut rate) site developer.
As I mentioned, there are some new social networking icon/links on the pages.
Poorly codded site development. Example LINK: http://www.websitetechnician.com/articles/using-a-spacer-gif-file-for-layouts/
Interesting read, the guy that hosts the site got dumped on by a REAL site developer, that knew what he was doing was wrong.

Soooo, my last question is, Is the site safe and avast! is detecting a FP?

[Pondus]

Norman lab

Files:
flipmytext.com.htm : Not added
tattoos.htm : Clean!

[spg SCOTT]

Their 404 (not found) error page (and possibly others) is infected. Any dead link you click will lead to this page.


I wouldn't say it was safe. There is nothing to say that in the near future the redirect is changed to a site that is active or the site already there becomes active.

The pages that Pondus is sending to all of the others are not the ones that are infected. The 404 page is the infected page. The problem is that when there are references to pages that don't exist, they get redirected to the infected 404 page.

The detection on that script, is this:
https://www.virustotal.com/file/f970fcc21c8b9b5d0b35b018d0019a1c8b9d2b0a6483c79b6238e48e4e151a45/analysis/1329933860/

[polonus]

Hi spg SCOTT,

Thanks for explaining this. The spacer.gif method is known to us now, the alleged 404 redirect is known also, and the code in index.php is also known. You will find what spg SCOTT gives also here: htxp://jsunpack.jeek.org/?report=f1b2736e07d7ab991c6b3405cc35995906e25b28 (visit this jsunpack link when security savvy, with script blocking enabled, and in a VM)

Similar obfuscation flagged here through Google Safebrowsing: hxtp://www.pvvanopijnen.nl/index.php?option=com_content...feed...
So webmasters have to check weird input and re-check weird input, it can be malcode round the corner...

polonus