Author Topic: Zeus trojan or Blackhole download attempt?  (Read 3604 times)

0 Members and 1 Guest are viewing this topic.

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 34031
  • malware fighter
Zeus trojan or Blackhole download attempt?
« on: August 11, 2012, 08:04:57 PM »
See: http://urlquery.net/report.php?id=124764
Content after the < /html> tag should be considered suspicious.

8: < !-- a padding to disable MSIE and Chrome friendly error page -->
9: < !-- a padding to disable MSIE and Chrome friendly error page -->
10: < !-- a padding to disable MSIE and Chrome friendly error page -->
11: < !-- a padding to disable MSIE and Chrome friendly error page -->
12: < !-- a padding to disable MSIE and Chrome friendly error page -->
13: < !-- a padding to disable MSIE and Chrome friendly error page -->

Avast Networkshield neatly blocks this URL as URL:Mal.
Again was demonstrated how important the avast shields are in protecting the avast users,

This one is not been detected by avast shield, and I have reported this to virus AT avast dot com,
see: http://www.urlquery.net/report.php?id=92737 See: http://wepawet.cs.ucsb.edu/view.php?hash=6d92a678af24970ecf1d5ab5462e476a&t=1342679337&type=js
but file might be detected as JS:ScriptDC-inf[Trj] the iFrame redirect to: htxp://mailmergesfinger.org/main.php?  has this malware...
See: https://www.virustotal.com/url/8dd47a07cbc67a35fbcf0aea773fc67676fabf381e3886137ca3abf6fe286ba5/analysis/1344708754/
see: http://www.google.com/safebrowsing/diagnostic?site=mailmergesfinger.org/main.php
Site has 90 trojans, 37 exploits & 7 scripting exploits,

polonus
« Last Edit: August 11, 2012, 08:15:50 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 34031
  • malware fighter
Re: Zeus trojan or Blackhole download attempt? NXDOMAIN request found!
« Reply #1 on: August 11, 2012, 08:48:29 PM »
As we see here: http://wepawet.cs.ucsb.edu/view.php?hash=6d92a678af24970ecf1d5ab5462e476a&t=1342679337&type=js
 htxp://mailmergesfinger.org/main.php?page=bfc8be54a0120bca   NXDOMAIN   N/A
The iFrame redirects to a so-called NXDOMAIN (for malicious or malvertising purposes)
Why NXDOMAIN is bad practice started by big online advertisers/malvertisers you can read here:
http://dnsknowledge.com/whatis/nxdomain-non-existent-domain-2/  (link author = admin)
Zombie computers use DNS-changing trojans to invisibly switch the automatic DNS server assignment by the ISP to manual DNS server assignment from rogue DNS servers. (info source: aceplace57) Rogue DNS server

A rogue DNS server translates domain names of desirable websites (search engines, banks, brokers, etc.) into IP addresses of sites with unintended content, even malicious websites. Most users depend on DNS servers automatically assigned by their ISPs. Zombie computers use DNS-changing trojans to invisibly switch the automatic DNS server assignment by the ISP to manual DNS server assignment from rogue DNS servers.[citation needed] When users try to visit websites, they are instead sent to a bogus website. This attack is termed pharming. If the site they are redirected to is a malicious website, masquerading as a legitimate website, in order to fraudulently obtain sensitive information, it is termed phishing.[info aceplace57]

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 34031
  • malware fighter
Re: Zeus trojan or Blackhole download attempt?
« Reply #2 on: August 11, 2012, 08:54:16 PM »
Well to be sure check here if your computer is using rogue DNS: https://forms.fbi.gov/check-to-see-if-your-computer-is-using-rogue-DNS#googtrans(nl)

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!