HTML:RedirME-inf [trj]

[AlecWest]

When I visit the site - hxxp://naijalatest.net/birds.php ("tt" changed to "xx" to prevent clicks) - I get a trojan warning popup from avast:

However, after visiting some of the blacklist sites (like URLvoid.com), I see no listing of this site being blacklisted.  If this is a false-positive, what has to be done to remove the page from the avast blockages?  Or, if it's a genuine blacklisted site, upon whose authority was it blacklisted (URL, please)?

Regards,
Alec

[!Donovan]

Hi AlecWest,

First, please change http:// to hXtp:// in your previous post to avoid accidental clicks.

A site that isn't blacklisted does not make it not malicious.

The detection is indeed correct; there is a server redirect. See: http://urlquery.net/report.php?id=2211430

~!Donovan

[AlecWest]

A site that isn't blacklisted does not make it not malicious.

By the same token, a server redirect does not necessarily make a site (or the redirected site) toxic.

The detection is indeed correct; there is a server redirect. See: http://urlquery.net/report.php?id=2211430

So, avast will flag a site, merely because it redirects to another site?  Perhaps I'm missing something.  My inquiry here is based on the fact that (at least) two people I know have visited the site and it was not blocked by their antivirus software ... nor have their computers been compromised in any way that their antivirus software can detect.

Regards,
Alec

[!Donovan]

Telling you of the server redirect relates to the warning given by avast.

If you scan the redirected url with URLVoid, you'll see that it's blacklisted.
http://www.urlvoid.com/scan/com-businesstimesblog.net/

The redirect pattern is as follows: indexer.php?a=[6 digits]&c=jobcpc&s=hr

~!Donovan

[AlecWest]

If you scan the redirected url with URLVoid, you'll see that it's blacklisted.
http://www.urlvoid.com/scan/com-businesstimesblog.net/

Hmm.  1 database (spamhaus.org) shows it blacklisted, the other 30 databases do not.  So, avast blocks a site based on the say-so of 1 out of 31 databases?  I'm not saying this blockage was unwise.  But spamhaus.org has been known to be "heavy-handed" in the past in adding sites they don't like to their database.  I suspect that, in part, that's why the hacking group "Anonymous" subjected them to DDOS attacks last month.

Thanks for your replies, though.

Regards,
Alec

[!Donovan]

AFAIK, avast! software does not rely on any specific blacklist.

~!Donovan

[AlecWest]

AFAIK, avast! software does not rely on any specific blacklist.

But according to the link you provided me in your last post, and out of the 31 databases listed, only spamhaus.org's database had them blacklisted.  Was there another factor used by avast in determining that the site should be blocked?  BTW, if you don't recall, spamhaus.org listed "Amazon.com" on one of their 2010 blacklists (sigh).  It was later discovered to be a false-positive.

Regards,
Alec

[AlecWest]

This would be funny if it wasn't so sad.  This morning, I received an email from avast! support.  It had this subject line ("xx" substituted for "tt" to block link):

[#HUL-153742]: hxxp://naijalatest.net/birds.php

And, their message to me read as follows:

avast!: Message body was removed because it contained a virus.

Yup, hehe, either support sent me a message that included a virus ... or the nature of their message referred to a false-positive that avast! "still" considers toxic.  So, whatever avast! support wanted to say to me was lost due to (ahem) avast! sending it into quarantine.

Oh, well.  They tried.

Regards,
Alec

[jefferson sant]

This would be funny if it wasn't so sad.  This morning, I received an email from avast! support.  It had this subject line ("xx" substituted for "tt" to block link):

[#HUL-153742]: hxxp://naijalatest.net/birds.php

And, their message to me read as follows:

avast!: Message body was removed because it contained a virus.

Yup, hehe, either support sent me a message that included a virus ... or the nature of their message referred to a false-positive that avast! "still" considers toxic.  So, whatever avast! support wanted to say to me was lost due to (ahem) avast! sending it into quarantine.

Oh, well.  They tried.

Regards,
Alec

Report to virus analysts.

detection seems to be correct -- there is redirection to "com-businesstimesblog.net" which is blocked.

Thanks Milos.

[AlecWest]

Report to virus analysts.

detection seems to be correct -- there is redirection to "com-businesstimesblog.net" which is blocked.

Thanks Milos.

I just did.  But this is apparently not a "Trojan Horse" problem.  It's the way "avast!" alerts customers that the referred site is considered a fraudulent site.  And this issue has been talked about as an "avast!" problem since 2011.  For example:

http://forums.majorgeeks.com/showthread.php?t=235875
...and...
http://www.bleepingcomputer.com/forums/t/390551/htmlredirmeinf-trj/

In any case, I just asked support to close their support ticket.  I got a repeat of their May 2nd email - which I couldn't read either because "avast!" (on my computer) blocked ITS OWN EMAIL - sending it to the virus vault.

Regards,
Alec

[REDACTED]

I get the same "virus" detection on the domain: http://www.hopper.pw which is a well known reputable website. Here is a scan on virustotal

Why is this still a false negative after years of false reports?!?

[polonus]

I see an IDS alert for 2014-12-12 21:34:17   2   urlQuery Client    185.21.103.153   ET INFO HTTP Request to a *.pw domain
There has been a raise in malcious .pw URLs being used in spam.
Read:  http://www.domainregistration.com.au/news/2013/1305-pw-domain-spam.php
Not the .pw domain as such is mallicious it is where you land that is.
These domains are also abused for Nuclear Pack exploit kit .
Site has been compromised and is most probably harmful -> http://sitecheck.sucuri.net/results/www.hopper.pw#sitecheck-details
Hosting report: http://w3bin.com/domain/hopper.pw
FAIL: Found differences between information provided by your authoritative name servers and glue provided by the parent name servers
& WARNING: Found stealth name servers:
ns.as-webservices.de.:
-> http://www.dnsinspect.com/hopper.pw/1418417178   hosted on a dedicated server: http://whois.domaintools.com/hopper.pw
avast also warns on: htxps://ipv4.www.hopper.pw/detectip/5h9if41c92gw6sasoqeidgyf1xy2d7el/

ISSUES -> https://www.ssllabs.com/ssltest/analyze.html?d=hopper.pw
Vulnerable too Poodle attack viamagnific-popup/ code.  Insecure  and weak intermediate certificate.

Suspicious in code -hick-up:
netdna dot bootstrapcdn dot com/bootstrap/3.0.0/js/bootstrap.min.js benign
[nothing detected] (script) netdna.bootstrapcdn dot com/bootstrap/3.0.0/js/bootstrap.min.js
     status: (referer=ipv4.wXw.hopper.pw/)saved 27726 bytes 75a42212affc118fef849aba4b9326a7da2acda1
     info: [decodingLevel=0] found JavaScript
     suspicious:
 error: undefined variable head
     info: [element] URL=api.github dot com/repos/asmaps/hopper dot pw?callback=callback
     info: [1] no JavaScript

polonus

[jefferson sant]

.

Hello

Tested the link  is being blocked by kaspersky
as shown in

https://www.virustotal.com/en-gb/url/1a6d2553ec47deb068bad9052ceba1e1e54a759e4e75a74751e8a805ff02c01a/analysis/1453578921/

Detection is by KSN cloud

http://quttera.com/detailed_report/www.isumm.ro

hxxp://localtimes.info/wp_clock.php?country=Romania&province=&city=Baia+Mare&cp3_Hex=963939&cp2_Hex=&cp1_Hex=000000&hbg=1&ham=0&fwdt=150&widget_number=100

TLD Risk  info 100

http://zulu.zscaler.com/submission/show/34605fb1d15eb063d0fff1e13318ee26-1453579844

The Domain is hosted DNS hijack

 ns2.afraid.org
 ns1.afraid.org
 ns1.afraid.org
 ns3.afraid.org
 ns4.afraid.org
 ns4.afraid.org


https://freedns.afraid.org/domain/dnstrace.php?domain=http%3A%2F%2Fwww.isumm.ro%2F&submit=Trace

[HonzaZ]

I do not see any malicious activity on hopper.pw, so I am unblocking it now.