« previous next »
Pages: [1]   Go Down

Author Topic: Again the avast Network shield in action...  (Read 3353 times)

0 Members and 1 Guest are viewing this topic.

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33897
  • malware fighter
Again the avast Network shield in action...
« on: December 01, 2012, 02:10:24 PM »
Someone sent me this link: htxp://contagiodump.blogspot.no/
Then avast Networkshield alerted me to BV:DelFiles-B[Trj] in the browser executable process.
Boy, am I glad to have that avast Networkshield installed.
Have to say before alerting, I had to lift noscript blocking that malware...
Given benign here: http://zulu.zscaler.com/submission/show/4f546320e6ffaf77d3aba45da7c1b87e-1354366764
4 potentially suspicious files
wXw.blogger.com/post-edit.g?blogID=7885177434994542510&postID=5116555681441968371&from=pencil
File size[byte]:   
80964
Threat type:   
Potentially Suspicious
Details:   
Detected hidden reference to external web resource.
Reason:   
Detected generation of hidden DOM element [iframe].
   
C50CF6DB56B8DE527799A68294FF4D04
Scan duration[sec]:   
0.175000
twitter dot com/%23%21/search/contagiodump
File size[byte]:   
66150
Threat type:   
Potentially Suspicious
Details:   
Detected procedure that is commonly used in suspicious activity.
Reason:   
Too low entropy detected in string '/^[a-z0-9_-------------------------------------------------------------]*[a-z_----------------------' of length 213 which may points to obfuscation or shellcode.
MD5:   
1B0274E1A26B9C447A8C0FB61D93838B
Scan duration[sec]:   
0.135000
community.rapid7 dot com/community/metasploit/blog/2012/09/16/lets-start-the-week-with-a-new-internet-explorer-0-day-in-metasploit
File size[byte]:   
116215
Threat type:   
Potentially Suspicious
Details:   
Detected potentially suspicious content.
Reason:   
Detected potentially suspicious initialization of function pointer to JavaScript method document.write <code> __tmpvar971250210 = document.write; <code/>
MD5:   
241758146B4C42C6A01AAF8E0926D787
Scan duration[sec]:   
3.383000
wXw.blogger.com/post-edit.g?blogID=7885177434994542510&postID=6269574680922556213&from=pencil
File size[byte]:   
80943
Threat type:   
Potentially Suspicious
Details:   
Detected hidden reference to external web resource.
Reason:   
Detected generation of hidden DOM element [iframe].
MD5:   
2FFA9DD1099A8871D6D348A1455EDC57
Scan according to Quttera scan results ...

polonus
Logged
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33897
  • malware fighter
Re: Again the avast Network shield in action...
« Reply #1 on: December 01, 2012, 02:20:15 PM »
Also performed  a particular malicious iFrame scan on that site with following results:
(Level: 0) Url checked:
htxp://contagiodump.blogspot.no/
Zeroiframes detected on this site: 0
No ad codes identified

(Level: 1) Url checked: (script source)
hxtp://contagiodump.blogspot.no///www.blogger.com/static/v1/jsbin/2627287098-ieretrofit.js
Blank page / could not connect
No ad codes identified

(Level: 1) Url checked: (script source)
hxtp://contagiodump.blogspot.no/https://apis.google.com/js/plusone.js
Blank page / could not connect
No ad codes identified

(Level: 1) Url checked: (script source)
htxp://www.mediafire.com/dropbox/dropbox.js
Zeroiframes detected on this site: 0
No ad codes identified

(Level: 2) Url checked: (iframe source)
htxp://www.mediafire.com/dropbox/+ez+
Blank page / could not connect
No ad codes identified

(Level: 1) Url checked: (script source)
htxp://www.mediafire.com/dropbox/dropbox.js
Zeroiframes detected on this site: 0
No ad codes identified

(Level: 2) Url checked: (iframe source)
htxp://www.mediafire.com/dropbox/+ez+
Blank page / could not connect
No ad codes identified

(Level: 1) Url checked: (script source)
htxp://contagiodump.blogspot.no/https://apis.google.com/js/plusone.js
Blank page / could not connect
No ad codes identified

(Level: 1) Url checked: (script source)
htxp://contagiodump.blogspot.no///www.blogger.com/static/v1/widgets/2167839501-widgets.js
Blank page / could not connect
No ad codes identified

(Level: 1) Url checked: (script source)
htxp://contagiodump.blogspot.no///www.google.com/jsapi
Blank page / could not connect
No ad codes identified

polonus
Logged
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37527
  • Not a avast user
Re: Again the avast Network shield in action...
« Reply #2 on: December 01, 2012, 06:57:34 PM »
well this is the contagio malware dump blog....where malware discussion and samples is dumped every day

so no surprise if a nervous avast webshield give a alarm here   ;)

dont you use this site Polonus   ???

Logged

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33897
  • malware fighter
Re: Again the avast Network shield in action...
« Reply #3 on: December 01, 2012, 08:20:53 PM »
Hi Pondus,

Yes I am aware of the site and know about the contents thereof, and if there is part of a malware script exposed, then the avast shield bells are to be set off. I use these resource sites, but never put a link out here bormally, because we do not want to make the malcreants any the wiser..

polonus
Logged
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!
Pages: [1]   Go Up
« previous next »