Author Topic: Avast does not detect Blackhole site  (Read 37022 times)

0 Members and 1 Guest are viewing this topic.

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33895
  • malware fighter
Re: Avast does not detect Blackhole site
« Reply #30 on: July 08, 2012, 04:23:39 PM »
Here we have a blackhole site with an outdated and vulnerable version of WordPress: http://sitecheck.sucuri.net/results/sdtempo.si
malware-entry-mwexploitkitblackhole1
See: http://urlquery.net/report.php?id=85251
SQL malware found  on line 193: ^^}/*km0ae9gr6m*/^^try{^^prototype%2;} etc etc
XSS attack detected Failed to connect to database: Unknown MySQL server host
Also see here: http://forum.avast.com/index.php?topic=100917.0
Then the avast shield should block this...

polonus
« Last Edit: July 08, 2012, 04:30:35 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!


Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33895
  • malware fighter
Re: Avast does not detect Blackhole site
« Reply #32 on: July 08, 2012, 04:28:31 PM »
Thanks for checking Dim@rik, one less to worry about then.
Hopefully we get detection for all of them, well at least that is why we are reporting,

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33895
  • malware fighter
Re: Avast does not detect Blackhole site
« Reply #33 on: July 08, 2012, 05:24:17 PM »
For this one we have 4 av detections and we have avast IP block via the avast Network shield!
Онлайн   08.07.12 16:51      06.07.2012 19:10       5.39.59.129   Blackhole exploit kit    HTML/ExpKit.Gen3
But here we have avast Networkshield detection and this IP is blocked as URL:Mal
So for  HTML/ExpKit.Gen3 we have avast shield protection!
See: http://urlquery.net/queued.php?id=85355
No alerts there, but here: http://urlquery.net/report.php?id=84839
Blackhole post-compromise download attempt - .php?f= & prototype catch alerts,

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

REDACTED

  • Guest
Re: Avast does not detect Blackhole site
« Reply #34 on: July 08, 2012, 06:39:27 PM »
For this one we have 4 av detections and we have avast IP block via the avast Network shield!
Онлайн   08.07.12 16:51      06.07.2012 19:10       5.39.59.129   Blackhole exploit kit    HTML/ExpKit.Gen3
But here we have avast Networkshield detection and this IP is blocked as URL:Mal
So for  HTML/ExpKit.Gen3 we have avast shield protection!
See: http://urlquery.net/queued.php?id=85355
No alerts there, but here: http://urlquery.net/report.php?id=84839
Blackhole post-compromise download attempt - .php?f= & prototype catch alerts,

polonus

http://wepawet.iseclab.org/view.php?hash=2f2090cd9dd06cbde83917c2fca2886a&type=js

Downloading two samples, both are determined.


Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33895
  • malware fighter
Re: Avast does not detect Blackhole site
« Reply #35 on: July 08, 2012, 06:58:39 PM »
Hi Dim@rik,

It is good to know that avast is one of the few av that detects the pony downloader from that site as Win32:Zeus-A [Trj] .  Mostly pony downloaders are configured to POST stolen FTP credentials to certain drop zones, then grab Gameover Zeus banking trojans from determined locations, and  fraudulent site engaged in Identity Theft, Phishing, Money Mule,

polonus
« Last Edit: July 08, 2012, 07:01:04 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33895
  • malware fighter
Re: Avast does not detect Blackhole site
« Reply #36 on: July 08, 2012, 10:54:06 PM »
See: http://urlquery.net/report.php?id=85558 (next random number malcious script -IDS alert: Blackhole landing prototype.catch
Not detected here: http://zulu.zscaler.com/submission/show/abae62a150cd1b4023a891e21a77186b-1341780150  given as suspicious
Bitdefender's Traffic Light flags the site as unsafe,
This link is also found there: htxps://d31qbv1cthcecs.cloudfront.net/atrk.js  Alexa code insertation, benign, could be blocked using ABP

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33895
  • malware fighter
Re: Avast does not detect Blackhole site
« Reply #37 on: July 09, 2012, 07:19:18 PM »
What about this one: http://urlquery.net/report.php?id=86083
See: http://vscan.urlvoid.com/analysis/e1d151c5cbc44e04d4561488be7f2439/cmVkaXItbm90LWZvdW5kLXNodG1s/
well this one is blocked by avast Networkshield as URL:Mal
So for this one we have protection,

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33895
  • malware fighter
Re: Avast does not detect Blackhole site
« Reply #38 on: July 12, 2012, 05:12:23 PM »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

true indian

  • Guest

true indian

  • Guest
Re: Avast does not detect Blackhole site
« Reply #40 on: July 12, 2012, 05:39:56 PM »

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33895
  • malware fighter
Re: Avast does not detect Blackhole site
« Reply #41 on: July 12, 2012, 05:40:44 PM »
This has blackhole there: http://urlquery.net/report.php?id=68710

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

true indian

  • Guest
Re: Avast does not detect Blackhole site
« Reply #42 on: July 17, 2012, 12:24:39 PM »
1 more blackhole..

see: htxp://secuboxlabs.fr/kolab/api?hash=fcc776f5abdfe9f8872676f668a59367720d64f4

not detected here: https://www.virustotal.com/file/fdd915e725b6a27eb6c20ec98ae240930004e4def52702e9ddab0ececfd674ff/analysis/1342520329/

reported via chest!  :)

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33895
  • malware fighter
Re: Avast does not detect Blackhole site
« Reply #43 on: July 17, 2012, 03:27:48 PM »
Sucuri detects: http://sitecheck.sucuri.net/results/secuboxlabs.fr/kolab/
How you reported via chest, you had access to the original source?

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

true indian

  • Guest
Re: Avast does not detect Blackhole site
« Reply #44 on: July 17, 2012, 07:28:01 PM »
I reported the HTML format via chest! :)

is it alright??