Avast blocks web sites with web cams

[MikeRepairs]

Avast Free 7.0.1456 Win 7 64 bit
defs 120811-1

This has to be a false positive

I cannot view any Seaside Oregon web cam sites
Avast blocks: HTML:Applet-ind[Trj]

http://www.seasideaquarium.com/
http://www.seasidechamber.com/camhtml/index.html
http://seasideoregonvacationrentals.com/live-webcam-seaside-oregon/

[Pondus]

This has to be a false positive

why ?



Every 3.6 seconds a website is infected
http://www.scmagazine.com/every-36-seconds-a-website-is-infected/article/140414/

[Pondus]

Virustotal
https://www.virustotal.com/file/a96ad0833f16a19571bb32219d0814878babd2e62c0cf42ef192d7b68cc380e2/analysis/1344736177/

urlQuery - Securicata alert
http://urlquery.net/report.php?id=125421




sucuri
http://sitecheck.sucuri.net/results/www.seasidechamber.com/camhtml/index.html

virustotal
https://www.virustotal.com/file/b992ee8f1e7902954493534f8d7192e0de1d771f7119b0330d1ccc674235de44/analysis/1344736450/

urlquery - securicata alert
http://urlquery.net/report.php?id=125424




sucuri
http://sitecheck.sucuri.net/results/seasideoregonvacationrentals.com/live-webcam-seaside-oregon/

virustotal
https://www.virustotal.com/file/db70b1eff841beb04d03965c3e8870c8ccb06fc9958fbad5ae358f70a3c6e659/analysis/1344736667/

urlquery - securicata alert
http://urlquery.net/queued.php?id=125425

[MikeRepairs]

Do you have an analysis on why Avast is blocking?

Thanks

[Pondus]

nope...but avast is very often correct...and often the first AV to detect

have sendt a PM to Donovan..... he usually find this if there is anything   

[DavidR]

Well the alert avast is giving on the home page, image1 (and presumably the others too) is HTML:Applet-inf and this -inf at the end usually signifies that some code has been injected (in this case presumably an applet) that is or may also be pointing to a malicious site.

The VT results link previously posted by Pondus has now been updated and now has more hits (5/42) whilst not huge it is going up, https://www.virustotal.com/file/51db5a19ab0bc6b2ff5f761ab6343a219ec1e9b94c909927a5bb8eef1cf913eb/analysis/1344772735/.

A check of the source code on the page shows an applet that points to an IP address rather than a user friendly domain name (image2). Checking of that IP and trying to connect to it causes the network shield to alert (image3) URL:MAL, indicating that this IP address is on avast's malicious sites lists. So this falls in line with what my explanation of what the -inf at the end of the malware name usually signifies.

So it isn't so much the seasideaquarium.com site, but the applet which goes to an external site which is considered malicious.

Now I don't know if A) that applet is legit and B) the IP address being considered malicious is correct (see ~~~ below), but that appears to be why the alerts are happening.

~~~
It is possible that many domains are hosted on this IP address, if so one or more could be infected leading to an IP block. This certainly needs further investigation.

[!Donovan]

Adding onto DavidR's analysis,

All the applet elements into one file, scanned on VirusTotal here:
https://www.virustotal.com/file/d52fd86579f1e0aef66f5001515cc7c04a417cd4e1dc1b0296431b53cad62304/analysis/1344793474/

3 different IPs are involved:

• 68.185.19.92
• 207.224.31.229
• 207.202.157.37

However, I do not see any apparent records for these IPs..?

[polonus]

Hi !Donovan,

Avast alert with URL:Mal for e.g.: hxtp://207.224.31.229/-wvdoc-01-/Glimpse  Java Viewer Applet
A PHP Array-push is being performed from /68.185.19.92 for example, http://68.185.0.0/19%20%20 urlopen error timed
see: htsp://jsunpack.jeek.org/?report=e71e575e9b002155bad807bbcfcd86f34e0a91ce *
* This link is given only for our security researchers,
use full script blocking and open up in a sandboxed environment for protection.
Warning! Do not venture out there if you are not enough security savvy!
Besides  68.185.0.0/19   AS20115 (not registered) Shared info is fetched in the background

See: http://urlquery.net/report.php?id=125425
Suricata /w Emerging Threats IDS alerts
2012-08-12 03:59:24    207.224.31.229    urlQuery Client   3   FILEMAGIC Zip archive data
2012-08-12 03:59:21    207.224.31.229    urlQuery Client   3   FILEMAGIC Zip archive data
2012-08-12 03:59:18    207.224.31.229    urlQuery Client   3   FILEMAGIC Zip archive data
2012-08-12 03:59:17    207.202.157.37    urlQuery Client   3   FILEMAGIC Zip archive data
2012-08-12 03:59:17    68.185.19.92            urlQuery Client   3   FILEMAGIC Zip archive data

The IP PTR  does not resolve. This is very bad practice...see:
http://hosts-file.net/default.asp?s=207.224.31.229
http://hosts-file.net/default.asp?s=207.202.157.37
http://hosts-file.net/default.asp?s=68.185.19.92

Site has to be protected against bad bots, like this: http://perishablepress.com/wp/wp-content/online/demos/blackhole/
http://perishablepress.com/blackhole-bad-bots/  (link author and bottrap developer  Jeff Starr)

AS info from sitevet: AS Name: THEPLANET-AS - ThePlanet.com Internet Services, Inc.
IPs allocated: 1539328
Blacklisted URLs: 17932

Hosts...
...malicious URLs? Yes 
...badware? Yes 
...botnet C&C servers? No 
...exploit servers? Yes 
...Zeus botnet servers? Yes 
...Current Events? Yes 

That is more than no records on these IPs,

polonus