Author Topic: Avast does not detect Blackhole site  (Read 37020 times)

0 Members and 1 Guest are viewing this topic.

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33895
  • malware fighter
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33895
  • malware fighter
Re: Avast does not detect Blackhole site
« Reply #1 on: July 03, 2012, 07:11:46 PM »
Same pattern found here: http://urlquery.net/report.php?id=81490
princess-sales dot net/main.php?page=3eeb1d64e259a3cf
     status: (referer=htxp:/twitter.com/trends/)saved 62768 bytes 93b5ded79fcc2b1a3e5e6bcf509fb3e2c7a4e62cfailure: [Errno 13] Permission denied: '/var/wXw/maliciousips.txt'
     info: [decodingLevel=0] found JavaScript
     info: DecodedGenericCLSID detected CA8A9780-280D-11CF-A24D-444553540000 BD96C556-65A3-11D0-983A-00C04FC29E36 d27cdb6e-ae6d-11cf-96b8-444553540000 D27CDB6E-AE6D-11CF-96B8-444553540000
     malicious: Alert detected /alert CVE-2006-0003 shellexecute with ./../44c9f31.ex-
     file: 93b5ded79fcc2b1a3e5e6bcf509fb3e2c7a4e62c: 62768 bytes
     file: a79e179909484d491a47ac37cc5d65743a8792a3: 16757 bytes

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline !Donovan

  • Web Analyst
  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 2219
    • The WAR Against Malware
Familiarize Yourself! | Educate Yourself! | Beautify Yourself! | Scan Yourself!
"People who say it cannot be done should not interrupt those who are doing it."


Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33895
  • malware fighter
Re: Avast does not detect Blackhole site
« Reply #4 on: July 03, 2012, 07:38:48 PM »
Hi !Donovan,

What did the shellcode there translate to? Is it a variant of what avast detects as JS:ShellCode-AF[Expl]?
See: http://forum.avast.com/index.php?topic=99293.0

Shellcode , see attached image..
It checks for various OS browser config to infect with Shockwave flash plug-in malware...

polonus
« Last Edit: July 03, 2012, 07:47:23 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline !Donovan

  • Web Analyst
  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 2219
    • The WAR Against Malware
Re: Avast does not detect Blackhole site
« Reply #5 on: July 04, 2012, 02:59:53 AM »
VirusTotal: https://www.virustotal.com/file/daf1795c1167fa5cb078cd60f1959d724200944279b795a6bec9537d2603ff77/analysis/1341335845/
Not detected by any antivirus.. :'(
4 Now Detect.
Code: [Select]
AntiVir    JS/Agent.ajy
AVG        Script/Exploit.Kit
Microsoft Exploit:JS/Blacole.GB
Sophos    Mal/ExpJS-N
https://www.virustotal.com/file/daf1795c1167fa5cb078cd60f1959d724200944279b795a6bec9537d2603ff77/analysis/1341363413/
----------------------
[July 4th Update] 2 More Detect.
Code: [Select]
Emsisoft Exploit.JS.Blacole!IK
Ikarus      Exploit.JS.Blacole
https://www.virustotal.com/file/daf1795c1167fa5cb078cd60f1959d724200944279b795a6bec9537d2603ff77/analysis/1341405519/
« Last Edit: July 04, 2012, 02:41:34 PM by !Donovan »
Familiarize Yourself! | Educate Yourself! | Beautify Yourself! | Scan Yourself!
"People who say it cannot be done should not interrupt those who are doing it."

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33895
  • malware fighter
Re: Avast does not detect Blackhole site
« Reply #6 on: July 04, 2012, 09:30:30 PM »
Hi !Donovan,

How about this one (IDS is clear with all alerts): http://urlquery.net/report.php?id=82387
Here it is missed: http://zulu.zscaler.com/submission/show/06768700d558a42f1768359dbc0d1fc3-1341430078

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline !Donovan

  • Web Analyst
  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 2219
    • The WAR Against Malware
Re: Avast does not detect Blackhole site
« Reply #7 on: July 04, 2012, 10:50:32 PM »
The reason Zulu missed is likely because the content of the URL couldn't be retrieved, hence HTTP Status Code: 500 Server Unavailable.

Quote
[...]Some people get the “domain suspended due to abuse” message while others get redirected to [link removed] and [link removed], which suggests that there is some server-side logic that filters traffic (probably by IP, Referrer , etc.)
http://blog.unmaskparasites.com/2012/06/22/runforestrun-and-pseudo-random-domains/

I had to resort to my old HTML viewer. All other advanced HTML fetching programs returned a 302 error. So I also confirm this.

After finally getting the code, I was able to upload to VirusTotal. Results:
https://www.virustotal.com/file/8c029ebba00ddc3e9c15c07679f0ce6e6eb8edb897c429cbe2d17b6ddd40bce7/analysis/1341434784/


0/42.. :(
Familiarize Yourself! | Educate Yourself! | Beautify Yourself! | Scan Yourself!
"People who say it cannot be done should not interrupt those who are doing it."

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33895
  • malware fighter
Re: Avast does not detect Blackhole site
« Reply #8 on: July 04, 2012, 11:01:09 PM »
Hi !Donovan,

As I reported to you pseudo random domains are now being blocked by the avast Network shield.
I am delighted avast has us all protected here.
Other users read here: http://forum.avast.com/index.php?topic=100691.0


polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33895
  • malware fighter
Re: Avast does not detect Blackhole site
« Reply #9 on: July 05, 2012, 03:48:27 PM »
Another one with a block of malcious obfuscated script: http://urlquery.net/report.php?id=83006  12 x IDS alert
Code there is heavily obfuscated JavaScript and is hosting a BlackHole Exploit Kit
The BlackHole Exploit Kit is serving the following exploits:
Java Rhino | Java OBE | PDF ALL | PDF LIBTIFF | HCP | FLASH
Sucuri finds it: http://sitecheck.sucuri.net/results/afisha76.ru/acinfo.html  and detects MW:ANOMALY:SP7 malware

polonus
« Last Edit: July 05, 2012, 03:53:14 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline Left123

  • There Is No Patch For Human Stupidity.
  • Avast Evangelist
  • Advanced Poster
  • ***
  • Posts: 1048
  • Proud Community Member&Helper.
Re: Avast does not detect Blackhole site
« Reply #10 on: July 05, 2012, 05:30:37 PM »
Another one with a block of malcious obfuscated script: http://urlquery.net/report.php?id=83006  12 x IDS alert
Code there is heavily obfuscated JavaScript and is hosting a BlackHole Exploit Kit
The BlackHole Exploit Kit is serving the following exploits:
Java Rhino | Java OBE | PDF ALL | PDF LIBTIFF | HCP | FLASH
Sucuri finds it: http://sitecheck.sucuri.net/results/afisha76.ru/acinfo.html  and detects MW:ANOMALY:SP7 malware

polonus

Philip
AMD Athlon(tm) X2 Dual-Core Processor 4200+ - 2.20 GHz,3,00 GB RAM -
Browser:Mozilla Firefox +WOT - SoftWare:CCleaner - Windows 7 32 bit
No Anti-Virus

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33895
  • malware fighter
Re: Avast does not detect Blackhole site
« Reply #11 on: July 05, 2012, 05:35:07 PM »
Hi Left123,

Thanks for that. An image can say more on malcode than thousands of words,

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline !Donovan

  • Web Analyst
  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 2219
    • The WAR Against Malware
Re: Avast does not detect Blackhole site
« Reply #12 on: July 05, 2012, 05:40:39 PM »
Sucuri defines MW:ANOMALY:SP7 as suspicious, so I assume that they do not have any records for this malware at hand..yet.

Only 1 detect here: https://www.virustotal.com/file/eecaab8dd661421a1731e0baff23827e17a272de98de6ce3dbed6f00d60e933b/analysis/1341502238/

Edit: As for the BlackHole Landing Page: https://www.virustotal.com/file/8602f7d47c9ae4cd90743760ae4d7238d87fc8ce236c7e639a6b64b4d71c7154/analysis/1341503045/
0/42..
Edit 2: Quick detection by Sophos-- Sophos    Mal/ExpJS-N    20120705

==================

[July 5th Update] 8 Total Detect: (Code received in post 2)
Code: [Select]
AntiVir JS/Agent.ajy
AVG          Script/Exploit.Kit
Emsisoft  Exploit.JS.Blacole!IK
Ikarus    Exploit.JS.Blacole
McAfee    JS/Exploit-Blacole.ec
Microsoft Exploit:JS/Blacole.GB
NOD32    JS/Kryptik.QT
Sophos    Mal/ExpJS-N
https://www.virustotal.com/file/daf1795c1167fa5cb078cd60f1959d724200944279b795a6bec9537d2603ff77/analysis/1341501382/
« Last Edit: July 05, 2012, 06:09:03 PM by !Donovan »
Familiarize Yourself! | Educate Yourself! | Beautify Yourself! | Scan Yourself!
"People who say it cannot be done should not interrupt those who are doing it."

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33895
  • malware fighter
Re: Avast does not detect Blackhole site
« Reply #13 on: July 05, 2012, 06:08:39 PM »
Hi !Donovan,

Thanks for keeping a finger onto the pulse of that VT detection for us.
Now you probably see how important it was when urlquery brought that Emerging Threats IDS in
and in a second instance snort IDS to their scanning engine.
It really detects a lot of anomalous patterns in webtraffic vital for early detection of these undetected sites and their malicious patterns.
Html and script analysis also will turn the light on the nature of these sites (Sucuri),
but I find a lot are still going under the normal av solution/anti-malware radar for too long,

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline !Donovan

  • Web Analyst
  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 2219
    • The WAR Against Malware
Re: Avast does not detect Blackhole site
« Reply #14 on: July 05, 2012, 06:12:37 PM »
After finally getting the code, I was able to upload to VirusTotal. Results:
https://www.virustotal.com/file/8c029ebba00ddc3e9c15c07679f0ce6e6eb8edb897c429cbe2d17b6ddd40bce7/analysis/1341434784/


0/42.. :(
20 hours later 3/42 detect..
Code: [Select]
Commtouch              JS/Blacole.BZ
F-Prot              JS/Blacole.BZ
Sophos            Troj/ExpJS-FB

@Polonus
Indeed, the new IDS alerts are very useful. :)

I also agree with you. The AV industry need to be more proactive in detecting these exploits.
« Last Edit: July 05, 2012, 06:14:09 PM by !Donovan »
Familiarize Yourself! | Educate Yourself! | Beautify Yourself! | Scan Yourself!
"People who say it cannot be done should not interrupt those who are doing it."