Author Topic: Avast does not detect Blackhole site  (Read 37021 times)

0 Members and 1 Guest are viewing this topic.

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33895
  • malware fighter
Re: Avast does not detect Blackhole site
« Reply #15 on: July 05, 2012, 06:27:52 PM »
Well there are samples that have a good overall detection rate, while it should be said that these EXP/JS.Blacole.BZ variants were up for 132.9 and over 990 hrs. This one of the two is still active (the other one is dead now): https://www.virustotal.com/url/8c258726e3bbd65eeb71a8502f8b902740c2efbfc9749946948862bb0ce52780/analysis/1341505063/
and
https://www.virustotal.com/file/fa80fc1c4b40891c08ef9213ac24531999b610d2e8b69e95278c88d13f67852c/analysis/1341505064/
But it is also of another nature, see the IDS alerts here:
http://urlquery.net/report.php?id=83167 & http://sitecheck.sucuri.net/results/asociacioncivil.info/wp-content/themes/blue-taste/dd_ie.js

No alerts here: http://urlquery.net/report.php?id=83173  ..... but indeed detected here: http://sitecheck.sucuri.net/results/www.arleta-m.ru/
and again another chip of the same block, but another flaw http://sucuri.net/malware/malware-entry-mwjsde921

Nothing here my friends, nothing... https://www.virustotal.com/url/209d6adec1ef6310a9f573b796bbf91e7d77ec674de168cda946a9ff6445af4f/analysis/1341505736/

polonus
« Last Edit: July 05, 2012, 06:29:48 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33895
  • malware fighter
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33895
  • malware fighter
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

true indian

  • Guest
Re: Avast does not detect Blackhole site
« Reply #18 on: July 07, 2012, 06:56:31 PM »
Another one..this time history repeats itself

see: https://www.virustotal.com/file/b6d708d5f0242ea2d0caab5336f6e1c3c57b1918a6aac684b63bfba7447cd432/analysis/

and nothing here: http://zulu.zscaler.com/submission/show/7f87a6f3d227005ed04fd0de8f456b91-1341679972

see screenshot..its malicious appendchild Iframe/exploit...

reported all the URL's in this topic to Virus AT avast DOT com
« Last Edit: July 07, 2012, 07:00:33 PM by true indian »

true indian

  • Guest
Re: Avast does not detect Blackhole site
« Reply #19 on: July 07, 2012, 07:04:00 PM »
One more...this one is appendC iframe exploit..

http://urlquery.net/report.php?id=83576

reported to virus at avast dot com

Offline !Donovan

  • Web Analyst
  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 2219
    • The WAR Against Malware
Re: Avast does not detect Blackhole site
« Reply #20 on: July 07, 2012, 07:06:41 PM »
Actually, the above fakes the first appendChild (inside a try) and does an eval appendChild.
Familiarize Yourself! | Educate Yourself! | Beautify Yourself! | Scan Yourself!
"People who say it cannot be done should not interrupt those who are doing it."

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33895
  • malware fighter
Re: Avast does not detect Blackhole site
« Reply #21 on: July 07, 2012, 07:11:35 PM »
Too many bells ringing here to alert : http://urlquery.net/report.php?id=84145
Also a trojan downloader for Zeus on that domain...see Malware Domain List
and I see suspicious content after the < /html> tag - a padding to disable MSIE and Chrome friendly error page -->
See this signature description for Emerging Threats sign.: http://comments.gmane.org/gmane.comp.security.ids.snort.emerging-sigs/15709 (author Gmane's Nathan Ridge)
Only listed here: Listed in bl.spamcannibal.org, www.spamcannibal.org : 127.0.0.2 : blocked, See: http://www.spamcannibal.org/cannibal.cgi?page=lookup&lookup=216.24.204.18 - (ttl:43200) [0.019 sec]
and here: Listed in sbl.spamhaus.org, www.spamhaus.org/sbl/ : 127.0.0.2 : http://www.spamhaus.org/sbl/query/SBL145909 - (ttl:300) [0.053 sec]
The role of Blackhole exploit kit in spreading Spam: http://cbnetsecurity.com/colors/archives/date/2012/07/03 link from Eye on Spam author =  cristian

polonus
« Last Edit: July 07, 2012, 07:30:01 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33895
  • malware fighter
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

true indian

  • Guest
Re: Avast does not detect Blackhole site
« Reply #23 on: July 07, 2012, 07:26:27 PM »
Not sure on this one: http://zulu.zscaler.com/submission/show/f4f201ed659b64134520ba85fad1ba3a-1341681804

is this dead URL i think its dead?? see screenshot1...



Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33895
  • malware fighter
« Last Edit: July 07, 2012, 07:35:14 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

true indian

  • Guest
Re: Avast does not detect Blackhole site
« Reply #25 on: July 07, 2012, 07:36:50 PM »
thanks! pol my friend :)

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33895
  • malware fighter
Re: Avast does not detect Blackhole site
« Reply #26 on: July 07, 2012, 07:48:18 PM »
To explain one of the snort rule alerts a bit more:
in this example the 'hcp_vbs.php?f=' part of the URL is known to be part of the 'Black Hole Exploit Kit'.
And this was one of the bugs abused on that site: description of exploit -> https://bugs.php.net/bug.php?id=35360
because you see a snort rule alert given for this, e.g.:
BLACKLIST URI possible Blackhole post-compromise download attempt - .php?f=<random character>
this will deliver various malicious PDF files to a user/victim,

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33895
  • malware fighter
Re: Avast does not detect Blackhole site
« Reply #27 on: July 07, 2012, 11:04:31 PM »
How about this one: http://urlquery.net/report.php?id=84805
On that IP IDS alert SPECIFIC-THREATS Blackhole landing page with specific structure - prototype catch
See: http://zulu.zscaler.com/submission/show/9ba26965ce8a56686c9bdc0ac6470690-1341694871 (partial detection)

polonus

Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline !Donovan

  • Web Analyst
  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 2219
    • The WAR Against Malware
Re: Avast does not detect Blackhole site
« Reply #28 on: July 08, 2012, 12:34:44 AM »
I cant get a return atm..
Familiarize Yourself! | Educate Yourself! | Beautify Yourself! | Scan Yourself!
"People who say it cannot be done should not interrupt those who are doing it."

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33895
  • malware fighter
Re: Avast does not detect Blackhole site
« Reply #29 on: July 08, 2012, 04:03:10 PM »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!