Author Topic: urlquery does detect EXPLOIT-KIT Redkit, while VT does not!  (Read 2365 times)

0 Members and 1 Guest are viewing this topic.

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33378
  • malware fighter
See: https://www.virustotal.com/nl/url/a773006b04536bbd8c83f6de3a4e485f8164e261cffe78cc78dc5f53431e45ba/analysis/
Detected here: http://urlquery.net/report.php?id=3404314 -IDs alert for EXPLOIT-KIT Redkit exploit kit redirection attempt
For the two hidden/malicious iFrames see: http://evuln.com/tools/malware-scanner/thetoponlineshopping.com/
Hidden iFrame found.
size: 2x2     
src: htxp://ypagesworld.com/omcd.html?i=779512 ->redirects tohtxp://irishbusinessschoolnigeria.com/omcd.html?i=779512
&
Hidden iFrame found.
size: 2x2     
src: htxp://ypagesworld.com/omcd.html?i=779512 ->redirects tohtxp://irishbusinessschoolnigeria.com/omcd.html?i=779512
Both instances landing here:
http://urlquery.net/report.php?id=3404403

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37132

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33378
  • malware fighter
Re: urlquery does detect EXPLOIT-KIT Redkit, while VT does not!
« Reply #2 on: June 29, 2013, 10:14:26 PM »
OK, Pondus, thanks and with you here, my friend, but the missed detection should be reported to VT...
On the other hand google safebrowsing blocks a vist to the redirected site anyways, so a lot of browser users (like those on fx and chrome) are being protected,
but that is not the point. Topic is about detection discrepancies.....

polonus

Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33378
  • malware fighter
Re: urlquery does detect EXPLOIT-KIT Redkit, while VT does not!
« Reply #3 on: June 29, 2013, 10:54:10 PM »
Scan is no longer actual as this redirect on that site was being taken down: https://www.virustotal.com/nl/url/e0270a6cdb64e07aba02e9b7ff3da27064ea2a3ee6440b2c67764544ecaaf989/analysis/
but main redirect site still blacklisted: https://www.google.com/safebrowsing/diagnostic?site=ypagesworld.com

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33378
  • malware fighter
Re: urlquery does detect EXPLOIT-KIT Redkit, while VT does not!
« Reply #4 on: June 30, 2013, 01:17:56 AM »
Another example for this IDS alert: FILE-FLASH Action InitArray stack overflow attempt
See: https://urlquery.net/report.php?id=767696
and the accompanying VT results: https://www.virustotal.com/nl/url/b60fbe6aa2089f040f683b662071d5e010a3e3e8055e55962e9721e532476887/analysis/
Nothing detected! Understandable: https://www.virustotal.com/nl/domain/www.dl.bazisaz.com/information/
and https://www.virustotal.com/nl/ip-address/95.211.80.118/information/

The IDS alerts comes from theseso-called flash  rules:
1   24889   FILE-FLASH   Action InitArray stack overflow attempt   off   off   drop
1   24890   FILE-FLASH   Action InitArray stack overflow attempt   off   drop   off
1   24891   FILE-FLASH   Action InitArray stack overflow attempt   off   off   drop
1   24892   FILE-FLASH   Action InitArray stack overflow attempt   off   off   drop
1   24893   FILE-FLASH   Action InitArray stack overflow attempt   off   drop   off
1   24894   FILE-FLASH   Action InitArray stack overflow attempt   off   off   drop
1   24895   FILE-FLASH   Adobe Flash Player ActionScript bytecode symbolclass tag type confusion attempt   off   drop   drop
1   24896   FILE-FLASH   Adobe Flash Player ActionScript bytecode symbolclass tag type confusion attempt   off   drop   drop

Domain seems down: Down:   NA   RIPE   NL   abuse at leaseweb.com   95.211.80.118    to 95.211.80.118   bazisaz.com   htxp://www.dl.bazisaz.com/edu/gamemaker/gamemaker-01.flv

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!