Author Topic: urlquery does detect EXPLOIT-KIT Redkit, while VT does not! (Read 2701 times)

polonus · « **on:** June 29, 2013, 07:20:25 PM »

See: https://www.virustotal.com/nl/url/a773006b04536bbd8c83f6de3a4e485f8164e261cffe78cc78dc5f53431e45ba/analysis/
Detected here: http://urlquery.net/report.php?id=3404314 -IDs alert for EXPLOIT-KIT Redkit exploit kit redirection attempt
For the two hidden/malicious iFrames see: http://evuln.com/tools/malware-scanner/thetoponlineshopping.com/
Hidden iFrame found.
size: 2x2
src: htxp://ypagesworld.com/omcd.html?i=779512 ->redirects tohtxp://irishbusinessschoolnigeria.com/omcd.html?i=779512
&
Hidden iFrame found.
size: 2x2
src: htxp://ypagesworld.com/omcd.html?i=779512 ->redirects tohtxp://irishbusinessschoolnigeria.com/omcd.html?i=779512
Both instances landing here:
http://urlquery.net/report.php?id=3404403

polonus

Pondus · « **Reply #1 on:** June 29, 2013, 07:37:41 PM »

iframe confirmed by Sucuri. http://sitecheck.sucuri.net/results/thetoponlineshopping.com/ewriterpro/

polonus · « **Reply #2 on:** June 29, 2013, 10:14:26 PM »

OK, Pondus, thanks and with you here, my friend, but the missed detection should be reported to VT...
On the other hand google safebrowsing blocks a vist to the redirected site anyways, so a lot of browser users (like those on fx and chrome) are being protected,
but that is not the point. Topic is about detection discrepancies.....

polonus

polonus · « **Reply #3 on:** June 29, 2013, 10:54:10 PM »

Scan is no longer actual as this redirect on that site was being taken down: https://www.virustotal.com/nl/url/e0270a6cdb64e07aba02e9b7ff3da27064ea2a3ee6440b2c67764544ecaaf989/analysis/
but main redirect site still blacklisted: https://www.google.com/safebrowsing/diagnostic?site=ypagesworld.com

polonus

polonus · « **Reply #4 on:** June 30, 2013, 01:17:56 AM »

Another example for this IDS alert: FILE-FLASH Action InitArray stack overflow attempt
See: https://urlquery.net/report.php?id=767696
and the accompanying VT results: https://www.virustotal.com/nl/url/b60fbe6aa2089f040f683b662071d5e010a3e3e8055e55962e9721e532476887/analysis/
Nothing detected! Understandable: https://www.virustotal.com/nl/domain/www.dl.bazisaz.com/information/
and https://www.virustotal.com/nl/ip-address/95.211.80.118/information/

The IDS alerts comes from theseso-called flash rules:
1   24889   FILE-FLASH   Action InitArray stack overflow attempt   off   off   drop
1   24890   FILE-FLASH   Action InitArray stack overflow attempt   off   drop   off
1   24891   FILE-FLASH   Action InitArray stack overflow attempt   off   off   drop
1   24892   FILE-FLASH   Action InitArray stack overflow attempt   off   off   drop
1   24893   FILE-FLASH   Action InitArray stack overflow attempt   off   drop   off
1   24894   FILE-FLASH   Action InitArray stack overflow attempt   off   off   drop
1   24895   FILE-FLASH   Adobe Flash Player ActionScript bytecode symbolclass tag type confusion attempt   off   drop   drop
1   24896   FILE-FLASH   Adobe Flash Player ActionScript bytecode symbolclass tag type confusion attempt   off   drop   drop

Domain seems down: Down:   NA   RIPE   NL   abuse at leaseweb.com   95.211.80.118    to 95.211.80.118   bazisaz.com   htxp://www.dl.bazisaz.com/edu/gamemaker/gamemaker-01.flv

polonus

Author Topic: urlquery does detect EXPLOIT-KIT Redkit, while VT does not! (Read 2701 times)

polonus

urlquery does detect EXPLOIT-KIT Redkit, while VT does not!

Pondus

Re: urlquery does detect EXPLOIT-KIT Redkit, while VT does not!

polonus

Re: urlquery does detect EXPLOIT-KIT Redkit, while VT does not!

polonus

Re: urlquery does detect EXPLOIT-KIT Redkit, while VT does not!

polonus

Re: urlquery does detect EXPLOIT-KIT Redkit, while VT does not!