Author Topic: Chinese video website blocked in a weird way  (Read 48551 times)

0 Members and 1 Guest are viewing this topic.

REDACTED

  • Guest
Chinese video website blocked in a weird way
« on: October 17, 2014, 04:49:21 PM »
htxp://www.1905.com/
detected URL:Mal
Mainly for people to watch video

clean: http://zulu.zscaler.com/submission/show/ad299be08a3c0d34ea77ed0ce8855cd2-1413556365
and https://www.virustotal.com/zh-tw/url/4d93bc636b21377a6f90078225482227a111779382d63d59c687ee43fddece8c/analysis/1413556470/

But not here: http://sitecheck.sucuri.net/results/www.1905.com
The iframe blacklist is weird and most probably FP
Quote
iframe src="hxtp://video.baidu.com/v?ct=301989888&rn=20&pn=0&db=0&s=0&fbl=800&otype=dyw&ty=10&fix_tpl=1&ie=utf-8&word='+searchKeyWord+'&ag='+agentPageUrl+'" frameborder="0".......
htxp://video.baidu.com/ ?
Why is baidu frequently blocked (like in quttera and sucuri)? If the video is loaded from baidu, I don't think it is suspicious at all ???.

Edit:
VT for htxp://video.baidu.com/v
https://www.virustotal.com/zh-tw/url/b947f1a48a51199c4282bc9e84fecfbfd4f137f92ee70f5a2aa66e4fea89f994/analysis/1413557755/
and file: https://www.virustotal.com/zh-tw/file/79d4d6b6af34a83eed29492a1651aad4c4495fa2bd9bc8f4cc67c4e13530ed54/analysis/1404519230/
both clean

Edit2:
some script that sucuri don't like on htxp://video.baidu.com/, is this just suspcious or real malware?
See: http://sitecheck.sucuri.net/results/video.baidu.com
See also the blacklist of baidu.com, the main search engine, as well as something related to music section of baidu in quttera: http://quttera.com/detailed_report/video.baidu.com
« Last Edit: October 17, 2014, 05:06:05 PM by rickyyeung »

Offline Eddy

  • Avast Evangelist
  • Maybe Bot
  • ***
  • Posts: 31079
  • Watching (over?) you
    • Malware removal, Biljart and other things.
Re: Chinese video website blocked in a weird way
« Reply #1 on: October 17, 2014, 05:07:37 PM »
You are wrong. VirusTotal doesn't say it is clean.
Quote
VirusTotal makes use of the  symbol to indicate that the given file was not detected in any way by the antivirus under consideration. We do not use the word "clean" or "innocuous" because antivirus solutions do not tell you whether a file is goodware, they just flag maliciousness.

REDACTED

  • Guest
Re: Chinese video website blocked in a weird way
« Reply #2 on: October 17, 2014, 05:13:37 PM »
You are wrong. VirusTotal doesn't say it is clean.
Quote
VirusTotal makes use of the  symbol to indicate that the given file was not detected in any way by the antivirus under consideration. We do not use the word "clean" or "innocuous" because antivirus solutions do not tell you whether a file is goodware, they just flag maliciousness.
Of course that doesn't mean it is clean.
I keep encounter a glitch in VT that it won't rescan the file downloaded from the website if a file with same SHA256 checksum have been scan before. This is one of the case, so I'm not sure if it is still clean now. That's why I'm asking if this is a FP or not.

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37585
  • Not a avast user
Re: Chinese video website blocked in a weird way
« Reply #3 on: October 17, 2014, 05:19:09 PM »
Quote
I keep encounter a glitch in VT that it won't rescan the file downloaded from the website if a file with same SHA256 checksum have been scan before.

done   ;)
SHA256:   79d4d6b6af34a83eed29492a1651aad4c4495fa2bd9bc8f4cc67c4e13530ed54
https://www.virustotal.com/en/file/79d4d6b6af34a83eed29492a1651aad4c4495fa2bd9bc8f4cc67c4e13530ed54/analysis/1413558966/


Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33926
  • malware fighter
Re: Chinese video website blocked in a weird way
« Reply #4 on: October 17, 2014, 07:01:50 PM »
Hi rickyyeung,

You keep analyzing website code and questioning detections.
That is a good thing for all of us, very attentive your behavior and certainly helping Internauts.

Site definitely has issues. But we guessed that it is an IP detection mainly.
Javascript check: Suspicious

? " https://" : " http://"); document.write(unescape("%3cscript src='" + _bdhmprotocol + "hm.baidu.com/h.js%3fbfe9961e25bf081711e59b3f78be82d4' type='text/javascript'%3e%3c/script...

404 error page check:
Suspicious

? " https://" : " http://"); document.write(unescape("%3cscript src='" + _bdhmprotocol + "hm.baidu.com/h.js%3fbfe9961e25bf081711e59b3f78be82d4' type='text/javascript'%3e%3c/script...

ZuluZscaler gives it as clean: http://zulu.zscaler.com/seen/ad299be08a3c0d34ea77ed0ce8855cd2-1413556365

XSS scan results for main url: Number of sources found: 44
Number of sinks found: 948  :o

inner.HTML in : htxp://js.static.m1905.cn/core/jquery-edge.min.js  (41/17)

Cdn Cache Server V2.0 vulnerable - read: http://www.ijiandao.net/article-52640-1.html

undefined variable in code: http://jsunpack.jeek.org/?report=e47b9a2ff61e0409dcd50a7ccd7abe7f04231109

Risk 1 out of 10 here: http://toolbar.netcraft.com/site_report?url=http://afp.m1905.com
Elevated Risk for IP: http://sameid.net/ip/203.130.61.21/  435 domains on one and the same IP.
Badness history: https://www.virustotal.com/nl/ip-address/203.130.61.21/information/

There is a logger installed via /open.rest.m1905.com/logger/Javascript/
even higher risk status: http://toolbar.netcraft.com/site_report?url=http://open.rest.m1905.com

IN SF code x86_64-unknown-linux-gnu%r Help SD4
-> again the infinite picture blocked in certain Chine sites - already reported by rickyyeaung.

: \xb4\xed\xce\xf3
\n
SF:
\xc4\xfa\xcb\xf9\xc7\xeb\xc7\xf3\xb5\xc4\xcd\xf8\xd6\xb7\xa3\xa8URL
SF:\xa3\xa9\xce\xde\xb7\xa8\xbb\xf1\xc8\xa1

polonus
« Last Edit: October 17, 2014, 07:03:25 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

REDACTED

  • Guest
Re: Chinese video website blocked in a weird way
« Reply #5 on: October 18, 2014, 04:40:55 AM »
Quote
Badness history: https://www.virustotal.com/nl/ip-address/203.130.61.21/information/
Then this is absolutly a IP block
A lot of website from that list is block, for example
4399 related websites
ku6 ads related websites
279wo.com
gg.ewang.com


Then I wonder why hxxp://www.7k7k.com (7k7k小遊戲) is not blocked. It is in the list 7k7k.xdwscache.glb0.lxdns.com

I have reported some issue related to this site to avast and I still keep the e-mail reponse say that it will be tested. But still it is not blocked. Is RedKit exploit kit safe?

look at this:
hxxp://www.7k7k.com/aoqi/
RedKit exploit
http://urlquery.net/report.php?id=1413476016647
there is malware found in the test page related to cnzz
http://sitecheck.sucuri.net/results/www.7k7k.com
image database is blacklisted by quttera i.7k7kimg.cn
http://quttera.com/detailed_report/www.7k7k.com

hxxp://news.7k7k.com/aobi/ also got RedKit exploit
http://urlquery.net/report.php?id=1413476579816

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37585
  • Not a avast user
Re: Chinese video website blocked in a weird way
« Reply #6 on: October 18, 2014, 12:48:08 PM »
Quote
  I have reported some issue related to this site to avast and I still keep the e-mail reponse say that it will be tested. But still it is not blocked. Is RedKit exploit kit safe? 
A closer look at the malicious Redkit exploit kit 
http://nakedsecurity.sophos.com/2013/05/09/redkit-exploit-kit-part-2/
http://nakedsecurity.sophos.com/2013/05/03/lifting-the-lid-on-the-redkit-exploit-kit-part-1/
https://blog.malwarebytes.org/exploits-2/2013/04/redkit-exploit-kit-does-the-splits/
http://blogs.mcafee.com/mcafee-labs/red-kit-an-emerging-exploit-pack

The Resurrection of RedKit http://www.kahusecurity.com/2014/the-resurrection-of-redkit/
« Last Edit: October 18, 2014, 12:52:03 PM by Pondus »

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33926
  • malware fighter
Re: Chinese video website blocked in a weird way
« Reply #7 on: October 18, 2014, 02:50:49 PM »
Hi rickyyeung,

Very legitimate questions about :7k7k.xdwscache.glb0.lxdns dot com,
see: http://totalhash.com/search/dnsrr:7k7k.xdwscache.glb0.lxdns.com
You probably have read that all VIP corporational computers that now make the trip to mainland China,
will make a one-way-trip only. Not that these managerial computers may be full of malware,
but they cannot go back to be hung into the firm's network on return.
Even computers with just a browser OS, because one visit to facebook or the downgraded Chinese https monitoring sytem (B.F)
make them only fit to be shredded completely - monitoring compromise has sunken in so those computers can no longer be trusted.
I wonder what kind of security these computers will get when making the trip from  Hong Kong.   ;D

But back on topic now. the site you mentioned is located at an Anonymous Proxy - IP 8.37.230.27

No Snort nor Suricata IDS alerts for resurrected RedKit, Borland Delphi 4.0 heuristic trojans,
and you know yourself  how dubious these detections are and they are very FP prone.

General IP badness history: https://www.virustotal.com/nl/ip-address/8.37.230.27/information/
Sites that are blacklisted mainly from Autoshun and via Malware Domain Blocklist.
For the site you mention is hosted from Pasadena USA with this accompanying herdprotect report:
http://www.herdprotect.com/ip-address-8.37.230.27.aspx
16 websites to keep an eye on: http://sameid.net/ip/8.37.230.27/
The network analysis: http://totalhash.com/network/dnsrr:7k7k.xdwscache.glb0.lxdns.com
Domain info: http://whois.domaintools.com/lxdns.com
Delegation, Nameserver and SOA errors: http://dnscheck.sidn.nl/?time=1413635323&id=1775712&view=basic&test=standard
This is really phishy and we could draw some conclusions from this scan.
Parent child nameserver mismatch can point at manipulative behavior on dns level.
Also shown from the hosting history: 3 registrars with 2 drops; 6 changes on 5 unique name servers over 9 years.
Strange results here from Pasadena: http://toolbar.netcraft.com/site_report?url=http://8.37.230.27  (no results!).
See: https://www.robtex.com/en/advisory/dns/com/lxdns/
Is this from the wsdns.group end in Shanghai, blacklisted by rhsbl.ahbl.org  Netcraft risk 9 out of 10 being compromised.

Classification according to Kleissner's VirusTracker: 7k7k.xdwscache.glb0.lxdns.com,8.37.231.19,,Multiple IPs,

So much so far, happy hunt and many thanks for your website analysis reports,

polonus (volunteer website analyst)
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!