« previous next »
Pages: [1]   Go Down

Author Topic: Site with alerts, avast! Web Shield detects as JS:Recirector-KN[Trj]  (Read 1773 times)

0 Members and 1 Guest are viewing this topic.

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33925
  • malware fighter
Site with alerts, avast! Web Shield detects as JS:Recirector-KN[Trj]
« on: October 27, 2013, 10:18:56 PM »
https://www.virustotal.com/nl/url/8ad2e32ce42d171f5afe05d783e8c72b80df8975d5d3bff1f47a671ff5304591/analysis/1382908173/
and
http://urlquery.net/report.php?id=7219056
IDS alerts for ET CURRENT_EVENTS TDS Sutra - request in.cgi severity 2 & MALWARE-CNC Win.Trojan.Agent variant outbound connection severity 1
iFrame check: Suspicious  <iframe frameborder="0" id="'+math.round(math.random()*100000)+'" width="120" scrolling="no" style="height:200px;backgro
Javascript check: Suspicious href="htxp://ocapojesyradyk.nm.ru/rss.xml" /> <link rel="alternate" type="text/xml" title="rss .92" href="htxp://ocapojesyradyk.nm.ru/rss.xml" /> <link rel="alternate" type="appl... avast! Web Shield detects as JS:Recirector-KN[Trj]
We have protection folks,

polonus
« Last Edit: October 27, 2013, 10:40:21 PM by polonus »
Logged
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline Secondmineboy

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 3645
Re: Site with alerts, avast! Web Shield detects as JS:Recirectot-KN[Trj]
« Reply #1 on: October 27, 2013, 10:23:20 PM »
ScanURL gives red: We recommend that you do not visit the specified website/URL (or do so with caution). One or more services we checked with below report that it may be suspicious.

AVG: http://www.avgthreatlabs.com/website-safety-reports/domain/nm.ru/ (Malware detected in the last 7 days)
McAfee:malicious   http://www.siteadvisor.com/sites/ocapojesyradyk.nm.ru
Quettra gives 111 suspicious files: http://www.quttera.com/detailed_report/ocapojesyradyk.nm.ru
Zulu gives malicious http://zulu.zscaler.com/submission/show/1e1edbfd5885f2511d012c4cf9cabc88-1382908998
« Last Edit: October 27, 2013, 10:33:49 PM by Steven Winderlich »
Logged
Windows 10 1909, 4 GB DDR3 RAM, 500 GB 5400 RPM HDD, 1366 by 768 LCD Screen, Intel Core i3 5010U Dual Core, Intel HD Graphics 5500
HUAWEI P30 Pro. Android 10

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33925
  • malware fighter
Re: Site with alerts, avast! Web Shield detects as JS:Recirector-KN[Trj]
« Reply #2 on: October 27, 2013, 10:49:22 PM »
The redirect that avast! flags has suspicious iFrame: Suspicious <iframe frameborder="0" id="'+math.round(math.random()*100000)+'" width="120" scrolling="no" style="height:200px;backgro  and suspicious javascript: Suspicious href="htxp://ocapojesyradyk.nm.ru/rss.xml" /> <link rel="alternate" type="text/xml" title="rss .92" href="htxp://ocapojesyradyk.nm.ru/rss.xml" /> <link rel="alternate" type="appl...
see: http://jsunpack.jeek.org/?report=53661e4c19452ea6995ee3db5d41a1d3b41f4591
going to htxp://ocapojesyradyk.nm.ru/show3.html whay is actually being flagged by avast! Webshield as JS:Recirector-KN[Trj]
confirmed here: http://zulu.zscaler.com/submission/show/88b64095996599e294100ffbcda1abc0-1382910333
and http://zulu.zscaler.com/submission/show/1e1edbfd5885f2511d012c4cf9cabc88-1382908998  100/100% malicious

pol
Logged
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37558
  • Not a avast user
Re: Site with alerts, avast! Web Shield detects as JS:Recirector-KN[Trj]
« Reply #3 on: October 27, 2013, 11:05:11 PM »
Logged
Pages: [1]   Go Up
« previous next »