Author Topic: Avast does not detect Blackhole site  (Read 29954 times)

0 Members and 1 Guest are viewing this topic.

Offline polonus

  • Avast Überevangelist
  • Maybe Bot
  • *****
  • Posts: 31528
  • malware fighter
Re: Avast does not detect Blackhole site
« Reply #60 on: July 31, 2012, 07:11:27 PM »
Another flaw of the old Blackhole here: http://urlquery.net/report.php?id=109292
Not detected here: http://vscan.urlvoid.com/analysis/2f0968b3bb7be61e7e7c3a461d6a40d2/bWFpbi1waHA=/

See attached image of obfuscated script

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Maybe Bot
  • *****
  • Posts: 31528
  • malware fighter
Re: Avast does not detect Blackhole site [SOLVED}
« Reply #61 on: August 02, 2012, 11:36:55 PM »
HTML/Framer and Blackhole Landing: http://urlquery.net/report.php?id=112491
and similar, also active: http://urlquery.net/report.php?id=112503
Low detection for this: https://www.virustotal.com/file/e033729696d97f9d01975fecce2fdd0e456fc5d324aeb5ef1b48f2ae330fab05/analysis/
reported to virus AT avast dot com
detection has been added to latest avast vps, already landed on your comps, avast users are being protected,

polonus
« Last Edit: August 03, 2012, 02:52:38 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Maybe Bot
  • *****
  • Posts: 31528
  • malware fighter
Re: Avast does not detect Blackhole site
« Reply #62 on: August 05, 2012, 09:51:06 PM »
Another one, currently blocked by Google Safebrowsing, see: http://urlquery.net/report.php?id=51420
Description of this RedKit exploit and the IDS rule for Emerging Threats here by Christopher Wakelin via this link
http://lists.emergingthreats.net/pipermail/emerging-sigs/2012-May/019007.html
Link rule comment from Eoin Miller in same link,

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Maybe Bot
  • *****
  • Posts: 31528
  • malware fighter
Re: Avast does not detect Blackhole site
« Reply #63 on: August 06, 2012, 03:53:40 PM »
Quite another variant alerted here: http://urlquery.net/report.php?id=116161
We are also blocked to go there here: http://safebrowsing.clients.google.com/safebrowsing/diagnostic?site=http%3A%2F%2Fvoicecontroldevotes.info%2Fmain.php%3Fpage%3D6df8994172330e77&client=googlechrome&hl=nl
GET /safebrowsing/diagnostic?site=http%3A%2F%2Fvoicecontroldevotes.info%2Fmain.php%3Fpage%3D6df8994172330e77&client=googlechrome&hl=nl HTTP/1.0
Accept: */*
User-Agent: WebBug/5.0 
For the malcode see attached image  (abstract algebra writing  Adobe malware generator, code starts with if(z)g= etc.)

IP is also Palevo infected: Gen:Variant.Zusy.15382 - http://zulu.zscaler.com/submission/show/e4ae4442faedc7f75bf4fb4f73b33494-1344260552
Also see: http://forums.malwarebytes.org/index.php?showtopic=113614

pol
« Last Edit: August 06, 2012, 03:58:24 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Maybe Bot
  • *****
  • Posts: 31528
  • malware fighter
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Maybe Bot
  • *****
  • Posts: 31528
  • malware fighter
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Maybe Bot
  • *****
  • Posts: 31528
  • malware fighter
Re: Avast does not detect Blackhole site [SOLVED]
« Reply #66 on: August 18, 2012, 05:56:13 PM »
Here avast neatly detects: http://urlquery.net/report.php?id=136887  as JS:Redirector-RO [Trj
EXP/JS.Blacole.BI from this site at biuro at nephax dot com   91.203.134.164
Read about avast detection here: http://www.mywot.com/en/scorecard/privilege-store.com?utm_source=addon&utm_content=popup-donuts

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Maybe Bot
  • *****
  • Posts: 31528
  • malware fighter
Re: Avast does not detect Blackhole site
« Reply #67 on: August 25, 2012, 12:10:54 AM »
This site not being detected by avast: http://vscan.urlvoid.com/analysis/8c7321c5e10cecf647002fc579d44753/aW5kZXgtcGhw/
Malicious http://zulu.zscaler.com/submission/show/9402604488193cb52231b22fafe46e4e-1345845339
is or was distributing a malware variant of Trojan-Downloader.JS.Iframe.czk
Detected malicious injected iframe..
IDS alert PECIFIC-THREATS Blackhole landing page with specific structure - prototype catch
See: http://urlquery.net/report.php?id=145042
See attached image...

polonus

P.S. On urlquery the marked this script as suspicious : j % 3 (size 3), repeated 572 ....

D
« Last Edit: August 25, 2012, 12:41:54 AM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Maybe Bot
  • *****
  • Posts: 31528
  • malware fighter
Re: Avast does not detect Blackhole site
« Reply #68 on: August 30, 2012, 08:06:32 PM »
See: http://zulu.zscaler.com/submission/show/fd1c952a4e32e974959c371b8d03fa5e-1346349419
and
http://urlquery.net/report.php?id=152317
ET CURRENT_EVENTS Possible Blackhole Landing to 8 chr folder plus index.html severity 2 = EXP/JS.Blacole.BI

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!


Offline polonus

  • Avast Überevangelist
  • Maybe Bot
  • *****
  • Posts: 31528
  • malware fighter
Re: Avast does not detect Blackhole site
« Reply #70 on: August 30, 2012, 09:15:05 PM »
Thanks Dima,

Thanks for evaluating this further. Users should be very diligent also because of the Java zero day now incorporated in Blackhole.
That is why users are also advised to disable Java for the time being.

Avast should later detect this particular threat as either  Win32:Susn-AJ Trj or Trojan/Win32.Zbot.gen

polonus

Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Maybe Bot
  • *****
  • Posts: 31528
  • malware fighter
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!