Avast does not detect Blackhole site

[polonus]

Well there are samples that have a good overall detection rate, while it should be said that these EXP/JS.Blacole.BZ variants were up for 132.9 and over 990 hrs. This one of the two is still active (the other one is dead now): https://www.virustotal.com/url/8c258726e3bbd65eeb71a8502f8b902740c2efbfc9749946948862bb0ce52780/analysis/1341505063/
and
https://www.virustotal.com/file/fa80fc1c4b40891c08ef9213ac24531999b610d2e8b69e95278c88d13f67852c/analysis/1341505064/
But it is also of another nature, see the IDS alerts here:
http://urlquery.net/report.php?id=83167 & http://sitecheck.sucuri.net/results/asociacioncivil.info/wp-content/themes/blue-taste/dd_ie.js

No alerts here: http://urlquery.net/report.php?id=83173  ..... but indeed detected here: http://sitecheck.sucuri.net/results/www.arleta-m.ru/
and again another chip of the same block, but another flaw http://sucuri.net/malware/malware-entry-mwjsde921

Nothing here my friends, nothing... https://www.virustotal.com/url/209d6adec1ef6310a9f573b796bbf91e7d77ec674de168cda946a9ff6445af4f/analysis/1341505736/

polonus

[polonus]

This one only detected here: https://www.virustotal.com/url/7da548c75b95bc06dad744d3f869fa3fb16c2bfd4a3b680fdbccc466abe05238/analysis/1341593117/
(Sophos)
and here: http://urlquery.net/report.php?id=84023 (content returned see: http://zulu.zscaler.com/submission/show/757757e3b21095d5d57e0c9c3c0a410a-1341593405 ) a possible Blackhole url: http://urlquery.net/report.php?id=83939

polonus

[polonus]

Another one not detected: https://www.virustotal.com/file/b71668a7dcdbb29663519d5c9b95df12c761dbe4f19cfab0de0e10e8ec378842/analysis/
and http://vscan.urlvoid.com/analysis/d5717c221e81a0aa7a80812d0590e84e/bWFpbi1waHA=/
See: http://urlquery.net/report.php?id=84669
http://zulu.zscaler.com/submission/show/52f12e8d818a4763a491ba3779be9e49-1341678053

polonus

[true indian]

Another one..this time history repeats itself

see: https://www.virustotal.com/file/b6d708d5f0242ea2d0caab5336f6e1c3c57b1918a6aac684b63bfba7447cd432/analysis/

and nothing here: http://zulu.zscaler.com/submission/show/7f87a6f3d227005ed04fd0de8f456b91-1341679972

see screenshot..its malicious appendchild Iframe/exploit...

reported all the URL's in this topic to Virus AT avast DOT com

[true indian]

One more...this one is appendC iframe exploit..

http://urlquery.net/report.php?id=83576

reported to virus at avast dot com

[!Donovan]

Actually, the above fakes the first appendChild (inside a try) and does an eval appendChild.

[polonus]

Too many bells ringing here to alert : http://urlquery.net/report.php?id=84145
Also a trojan downloader for Zeus on that domain...see Malware Domain List
and I see suspicious content after the < /html> tag - a padding to disable MSIE and Chrome friendly error page -->
See this signature description for Emerging Threats sign.: http://comments.gmane.org/gmane.comp.security.ids.snort.emerging-sigs/15709 (author Gmane's Nathan Ridge)
Only listed here: Listed in bl.spamcannibal.org, www.spamcannibal.org : 127.0.0.2 : blocked, See: http://www.spamcannibal.org/cannibal.cgi?page=lookup&lookup=216.24.204.18 - (ttl:43200) [0.019 sec]
and here: Listed in sbl.spamhaus.org, www.spamhaus.org/sbl/ : 127.0.0.2 : http://www.spamhaus.org/sbl/query/SBL145909 - (ttl:300) [0.053 sec]
The role of Blackhole exploit kit in spreading Spam: http://cbnetsecurity.com/colors/archives/date/2012/07/03 link from Eye on Spam author =  cristian

polonus

[polonus]

And this one: http://urlquery.net/report.php?id=84145
See: http://zulu.zscaler.com/submission/show/7f87a6f3d227005ed04fd0de8f456b91-1341679972
See: https://www.virustotal.com/file/b6d708d5f0242ea2d0caab5336f6e1c3c57b1918a6aac684b63bfba7447cd432/analysis/

polonus

[true indian]

Not sure on this one: http://zulu.zscaler.com/submission/show/f4f201ed659b64134520ba85fad1ba3a-1341681804

is this dead URL i think its dead?? see screenshot1...

[polonus]

true indian,

see: http://urlquery.net/report.php?id=78036
see: http://www.malwaredomainlist.com/hostslist/yesterday_urls.txt
see: http://securecast.co.kr/offer/offer_threat_list.asp?left_menu=secure_02

polonus

[true indian]

thanks! pol my friend

[polonus]

To explain one of the snort rule alerts a bit more:
in this example the 'hcp_vbs.php?f=' part of the URL is known to be part of the 'Black Hole Exploit Kit'.
And this was one of the bugs abused on that site: description of exploit -> https://bugs.php.net/bug.php?id=35360
because you see a snort rule alert given for this, e.g.:
BLACKLIST URI possible Blackhole post-compromise download attempt - .php?f=<random character>
this will deliver various malicious PDF files to a user/victim,

polonus

[polonus]

How about this one: http://urlquery.net/report.php?id=84805
On that IP IDS alert SPECIFIC-THREATS Blackhole landing page with specific structure - prototype catch
See: http://zulu.zscaler.com/submission/show/9ba26965ce8a56686c9bdc0ac6470690-1341694871 (partial detection)

polonus

[!Donovan]

I cant get a return atm..

[polonus]

Here is another: http://urlquery.net/report.php?id=85282
See: http://zulu.zscaler.com/submission/show/77fb44e1a62807569eafd676607fe1c6-1341755594
See: https://www.virustotal.com/file/a6edc3f21dddd2ee19a38b6a48150222180925ad05d49e70ba2659f4f971d7fd/analysis/
Blackhole landing page with specific structure - prototype catch  see: http://seclists.org/snort/2012/q1/579 (Joel Esler)
detected by other av vendors as HTML/ExpKit.Gen3

polonus