Author Topic: Again the valuable avast! Webshield! (Read 6394 times)

polonus · « **on:** June 16, 2014, 12:14:53 PM »

Only three av will detect (one of which is good old avast!): https://www.virustotal.com/nl/file/607255ccc56416deafe9d9029c7a8d0d9ff6b0fc07ba6e7ba2f9a04eec4708d4/analysis/
See: https://www.virustotal.com/nl/domain/lacusk.com/information/
and http://sitecheck.sucuri.net/results/lacusk.com/ as

and the misrepresentation from here: http://www.domaintuno.com/?
reported to WOT: domaintuno.com/d/lacusk.com?

polonus

polonus · « **Reply #1 on:** June 18, 2014, 09:55:53 PM »

Well here avast! Web Shield detects JS:Decode-BDD[Trj] ->
Trustwave flags site as wirh potential virus behavior, despite this: http://www.statscrop.com/www/napsugarpiheno.hu

pol

Pondus · « **Reply #2 on:** June 18, 2014, 11:19:55 PM »

Quote

Only three av will detect (one of which is good old avast!)

well.... only fresh info is correct info

https://www.virustotal.com/nb/file/607255ccc56416deafe9d9029c7a8d0d9ff6b0fc07ba6e7ba2f9a04eec4708d4/analysis/1403126193/

there is also infection in the js file
https://www.virustotal.com/nb/file/95dac0b1f4ec04ff35fd5100fe4ea26c13db626edaf0d2d9249a7c7e32054f7f/analysis/1403126629/

Killmalware http://killmalware.com/lacusk.com/

urlQuery http://urlquery.net/report.php?id=1403127074061

UP http://www.UnmaskParasites.com/security-report/?page=lacusk.com

polonus · « **Reply #3 on:** June 19, 2014, 01:34:20 PM »

Here avast! Web Shield detects JS:Iframe-DWL[Trj] -> iframes found:
http://sitecheck.sucuri.net/results/choicesupports.org
Code: 302, htxp://jerezdeloscaballeros.org/ewsn.html?h=755681

Redirect to external server!
Excessive header info proliferation: apache/2.2.22 (unix) mod_ssl/2.2.22 openssl/0.9.8e-fips-rhel5 dav/2 mod_auth_passthrough/2.1 mod_bwlimited/1.4 frontpage/5.0.2.2635
spreading excessive attack info globally and to potential attackers, read:
-> http://www.brianhaddock.com/2011/gaining-shell-access-via-local-file-inclusion-vulnerabilities
-> http://www.exploit-db.com/exploits/19713/

pol

Pondus · « **Reply #4 on:** June 19, 2014, 04:31:06 PM »

Quote from: polonus on June 19, 2014, 01:34:20 PM

Here avast! Web Shield detects JS:Iframe-DWL[Trj] -> iframes found:
http://sitecheck.sucuri.net/results/choicesupports.org
Code: 302, htxp://jerezdeloscaballeros.org/ewsn.html?h=755681

Redirect to external server!
Excessive header info proliferation: apache/2.2.22 (unix) mod_ssl/2.2.22 openssl/0.9.8e-fips-rhel5 dav/2 mod_auth_passthrough/2.1 mod_bwlimited/1.4 frontpage/5.0.2.2635
spreading excessive attack info globally and to potential attackers, read:
-> http://www.brianhaddock.com/2011/gaining-shell-access-via-local-file-inclusion-vulnerabilities
-> http://www.exploit-db.com/exploits/19713/

pol

VirusTotal
https://www.virustotal.com/nb/file/7fa0eb609c6c31b2eade2a0ee01b5833414b847defeab4c6217ea683d0c45e7d/analysis/1403188205/

polonus · « **Reply #5 on:** June 19, 2014, 05:12:38 PM »

Hi Pondus,

According to Netcraft VirusTotal site is still vulnerable to Heartbleed: http://toolbar.netcraft.com/site_report?url=https://www.virustotal.com

Quote

The site offered the Heartbeat TLS extension prior to the Heartbleed disclosure. The extension is now disabled, but the server is still using the same certificate.

LastPass gives it clean, probably based on more recent information:

Quote

Site:   www.virustotal.com
Server software:   Google Frontend
Was vulnerable:   Possibly (might use OpenSSL, but we can't tell)
SSL Certificate:   The current cert appears to have been reissued recently, likely now safe (2 weeks ago)
Assessment:   Certificate now looks safe, go ahead and change your password

polonus

mchain · « **Reply #6 on:** June 19, 2014, 10:19:07 PM »

Quote from: polonus on June 19, 2014, 01:34:20 PM

Here avast! Web Shield detects JS:Iframe-DWL[Trj] -> iframes found:
http://sitecheck.sucuri.net/results/choicesupports.org
Code: 302, htxp://jerezdeloscaballeros.org/ewsn.html?h=755681

Redirect to external server!
Excessive header info proliferation: apache/2.2.22 (unix) mod_ssl/2.2.22 openssl/0.9.8e-fips-rhel5 dav/2 mod_auth_passthrough/2.1 mod_bwlimited/1.4 frontpage/5.0.2.2635
spreading excessive attack info globally and to potential attackers, read:
-> http://www.brianhaddock.com/2011/gaining-shell-access-via-local-file-inclusion-vulnerabilities
-> http://www.exploit-db.com/exploits/19713/

pol

urlquery confirms redirect: http://urlquery.net/report.php?id=1403207429027

polonus · « **Reply #7 on:** June 20, 2014, 09:35:30 PM »

Another example where avast! Web Shield correctly detects and blocks JS:Agent-BDA[Trj] in the browser executable, threat comes from here: Object: htxp://www.buah-ara.blogspot.com/
SHA1: 50b1069472df5906b9e160b072c7bcb67011c6ac
Name: TrojWare.JS.Agent.JM

We are being protected,

pol

polonus · « **Reply #8 on:** June 21, 2014, 09:55:15 AM »

See: http://sitecheck.sucuri.net/results/webklavye.com
and: http://app.webinspector.com/public/reports/22667027

avast WebShield detects JS:Downloader-KS[Trj]

polonus

polonus · « **Reply #9 on:** June 22, 2014, 05:39:06 PM »

Faced with an inconclusive result
See: http://urlquery.net/report.php?id=1403450287527 missed
and http://quttera.com/detailed_report/bytegraf.com missed
Detected: https://www.virustotal.com/nl/url/f87f84e5806d499cc27b9335c565630cc984c8996a7584ee026e18d5083c7d8e/analysis/1403450530/

avast! Webshield blkocks as URL:Mal, but does not specify URL is subjected to threat Mal/HTMLGen-A,
while this appears to be down.

Damian

polonus · « **Reply #10 on:** June 25, 2014, 01:37:47 PM »

avast! Web Shield blocks and detects JS:Ifarme-CSU[Trj] on see:
https://www.virustotal.com/nl/url/5df585f6dce21560a0ed0104edc78b8256b4163f7a88067cfe2b94852c3bde37/analysis/
and http://app.webinspector.com/public/reports/show_website?site=http%3A%2F%2F1903bjk.org
and
http://urlquery.net/report.php?id=1403694178767 (see recent reports on same IP)

polonus

polonus · « **Reply #11 on:** June 25, 2014, 03:29:23 PM »

iFrame malware here: htxp://coherence090611.cocolog-nifty.com/JSTAG_3[d46][108] infected with JS.IFrame.312
avast! Web Shield blocks and detects as JS:Iframe-EO[Trj]
we are being protected,

polonus

Pondus · « **Reply #12 on:** June 25, 2014, 06:51:15 PM »

Quote from: polonus on June 25, 2014, 01:37:47 PM

avast! Web Shield blocks and detects JS:Ifarme-CSU[Trj] on see:
https://www.virustotal.com/nl/url/5df585f6dce21560a0ed0104edc78b8256b4163f7a88067cfe2b94852c3bde37/analysis/
and http://app.webinspector.com/public/reports/show_website?site=http%3A%2F%2F1903bjk.org
and
http://urlquery.net/report.php?id=1403694178767 (see recent reports on same IP)

polonus

killmalware http://killmalware.com/www.1903bjk.org/#
sucuri http://sitecheck.sucuri.net/results/www.1903bjk.org/
https://www.virustotal.com/nb/file/2bae36c08431189372a1cfefd99f29036b105705054058888b0dff425a476344/analysis/1403714603/

but not on html

https://www.virustotal.com/nb/file/696e8cdebb8f0c679fbcd8b0209ae63227b6b07cf105c5a0c041635e4192a7b4/analysis/

Pondus · « **Reply #13 on:** June 25, 2014, 06:55:54 PM »

Quote from: polonus on June 25, 2014, 03:29:23 PM

iFrame malware here: htxp://coherence090611.cocolog-nifty.com/JSTAG_3[d46][108] infected with JS.IFrame.312
avast! Web Shield blocks and detects as JS:Iframe-EO[Trj]
we are being protected,

polonus

killmalware http://killmalware.com/coherence090611.cocolog-nifty.com/

VirusTotal
https://www.virustotal.com/nb/file/4e23fb00a8273ee946fefa94c273158557c7a5019b22c2f1e20b75f085ff2f84/analysis/1403715294/

polonus · « **Reply #14 on:** June 25, 2014, 11:47:12 PM »

Due to interference of direct avast! Web Shield blocking of code detected, Dr Web's url checker scan and several others cannot connect and won't give scan results.

polonus