Infected website with Smith-Wesson forum or false positive?

[philly12]

Hello, I was looking up some tips on my new handgun and a lot of links brought me to a top smith-wesson forum site.

However, when I click the link in google, avast gives me a red popup and says that it is URL:Mal

I'm confused because it seems the site is used a lot and is very popular and even offers computer security links too to help its members. It is green for siteadvisor and even avast's own webrep symbol on google is green.

I won't post the direct link here so people don't click on it, but if you google "smith-wesson forum" it is the very first link that appears.

None of my other sites have any problems, so I'm wondering if this is a false positive or an actual URL attack by a hacker?

Maybe the site managers need to be aware of this if it is real. Please let me know if this is a false positive or not. Thanks.

[philly12]

So it gets even weirder. This warning only comes up when I click on the google link from the search and not if I actually put it into my browser bar.
Why would this only appear from the main google link (even to its front page)?

This is the only site where I have an issue with google. I tested a lot of other random links and they are fine.

[AntiVirusASeT]

just providing info here, please wait for more experienced forum members to have a look at this.

from web analysis tools, it seems to be safe.

web analysis results: 1. http://sitecheck.sucuri.net/results/smith-wessonforum.com/
                                 2. https://www.virustotal.com/file/e3e884c3d27bc6f8c714b3ab7a0db31ad1cb661486671fdf8fe0abf79d758638/analysis/1340087850/
                                 3. http://www.webutation.net/go/review/smith-wessonforum.com
                                 4. http://zulu.zscaler.com/submission/show/f4f1f817acd92622ec3f19d7e8483cc9-1340087992
                                 5. http://www.urlvoid.com/scan/smith-wessonforum.com/
                                 6. BrightCloud Content and Reputation - 96/100 (excellent)

[Asyn]

I don't get any avast! alert on the S&W forum.
@OP: If you still get an alert, please post a screenshot.

[philly12]

Hmm... it is still happening. Let me show you guys what is happening by using a series of photos. (I will have to add 3 and 4 to a separate post below due to size requirements).

Photo 1: Going to google and searching for the forum name.

Photo 2: Clicking on the google link (which is not an ad link) and going to the site through the google link. Then avast! pops up with the warning listed.

Photo 3: After I click on "more details" in the warning from photo 2

Photo 4: Creating my own tab and putting "smith-wessonforum.com/" directly into the URL bar (and no warning appearing at all)

So what is causing this? I had this happen at one other legitimate site too off of a google link, but I didn't think enough about it to document the occurrence. All my other google searches are still working fine with their links. This is really starting to confuse me.

You think it might be an infected browser or something similar since it is only with the google link?

I scanned with Malwarebytes and Superantispyware (no infected results), and I have used hijackthis to make a log and checked it with hijackthis.de (and it looked all clean).

Thanks for any help.

[philly12]

Photos 3 and 4 from description above.

[AntiVirusASeT]

the network shield block is not because of any existing infections on ur system. i could reproduce ur problem on a freshly installed windows 7 with only avast free v7.0.1426/.0.1451

i used IE 9 instead and tried the same link with both Bing and Google search. from search results, both will cause avast network shield to pop-up a block notification. however, direct visit through typing in the url address bar does not cause a block to occur.

web analysis report on the offending url within the network shield block notification.

https://www.virustotal.com/file/24758c3eabdbecfb5be43570db4f86e88c1d2a6a8198cb872b6f0b8330546186/analysis/1340938964/ (clean)
http://zulu.zscaler.com/submission/show/1719189c78107fc37642cc96c2fd27de-1340939007 (malicious)
http://www.webutation.net/go/review/pisezmakoons.org (reputation very poor --WOT)

system specs: windows 7 32bit sp1, only Avast free v7.0.1426 --> upgraded to v7.0.1451

[philly12]

Well yes, AntiVirusASeT, you just confirmed what I was saying.

But what does this mean, like what is going wrong?

[AntiVirusASeT]

well i have no idea too but just confirming ur findings so that avast team ppl or someone more experienced may come over to check. (using a clean system with nothing else except avast on it)

this is because if it is just on ur system, it maybe an infection which malwarebytes or superantispyware could not detect. (which i would have recommended u to the virus section of avast forum to get checked by malware removal experts over there)

[philly12]

well i have no idea too but just confirming ur findings so that avast team ppl or someone more experienced may come over to check. (using a clean system with nothing else except avast on it)

this is because if it is just on ur system, it maybe an infection which malwarebytes or superantispyware could not detect. (which i would have recommended u to the virus section of avast forum to get checked by malware removal experts over there)

Sorry AntiVirusASeT, I didn't mean to be rude. I appreciate you collaborating my story with a clean system as well. I guess we will find out together what's going on  .

[DavidR]

Your images might be large but the detail is too small read the important information, so a selective screen shot of just the alert window so the text can be read.

But it looks like something on the S&W site is trying to connect to another site and that is being blocked as it is considered malicious and not the S&W site as such. Such things as banner ads and user attached images, etc. ate just two things that try to load remote content.

It also isn't unusual to find avast alerting on google results as there has been issues with search result poisoning, where the link may look like it is for S&W but goes to another site.

Using firefox 13.0.1 I googled smith and wesson forum and clicked the first link (image1) and had no problem connecting to S&W forum (image2, click to expand)

[!Donovan]

Photo 1: Going to google and searching for the forum name.

Photo 2: Clicking on the google link (which is not an ad link) and going to the site through the google link. Then avast! pops up with the warning listed.

Photo 3: After I click on "more details" in the warning from photo 2

Photo 4: Creating my own tab and putting "smith-wessonforum.com/" directly into the URL bar (and no warning appearing at all)

So what is causing this? I had this happen at one other legitimate site too off of a google link, but I didn't think enough about it to document the occurrence. All my other google searches are still working fine with their links. This is really starting to confuse me.

You think it might be an infected browser or something similar since it is only with the google link?

Based on the information you provide, I assume that there is a script that checks for the document.referrer then redirects if it matches the requirements (e.g: user came from Google).

[!Donovan]

Hypothesis Correct. See:
http://urlquery.net/report.php?id=78686

Notice the referrer is the link I receive from the Google redirect.

Compare To No Referrer:
http://urlquery.net/report.php?id=78685

With the referrer, Suricata alerts "ET RBN Known Russian Business Network IP (410)".

There is also a new instance URL, and to raise more suspicion, to a javascript file: wXw.pisezmakoons.org/ijr.js?essonf

Final Statement:
Malicious. Google Redirect.

Remember, referrer is a powerful weapon that we use. Using it can change an outcome drastically. See: http://urlquery.net/intro.php
====================================
Referer

This is probably the most important to use correctly. This manipulates the referer field in the HTTP header which tells a webserver where a user originated from. This is automaticly set by the browser to contain the URL of the site/page a user came from when clicking a link or getting redirected. Many maliciouse sites use this to filter out direct traffic to their maliciouse site and only accept traffic which gets redirected from one of their infected sites. This is to prevent security researchers from accessing their maliciouse code to reverse it. Do note not all maliciouse site use the referer field to filter traffic, but missing this value can drasticly change the result.

The difference between supplying a referer and not can be the difference of a blank page and the actual maliciouse page being sent back.

When using this field it is important to note that it requires a full URL. Example: http://google.com/ or http://google.com/somepage.htm

Using only google.com would be an invalied entry based on the HTTP standard.

Default: None
====================================

[polonus]

Hi !Donovan,

If it does not meet both the browser type, and a referrer match, the action will die.
The referral script starts as -> window.googleJavaScriptRedirect=1
They use a redirect page to track what you click on.
That is personalized search for you, and you cannot do much to prevent this,

polonus