This look most probably an invalid website block

[REDACTED]

Discription: If you understand Chinese, see http://tieba.baidu.com/p/3376774167 and http://tieba.baidu.com/p/3366282608
The problem is that a lot of Chinese website, when accessed, give the following alert.
hxxp://hm.e.shifen.com/h.js?d0ad46e4afeacf34cd12de4c9b553aa6
URL:Mal

Searching result in baidu web traffic statistic script (百度網站流量統計)
So similar to http://cnzz.mmstat.com/9.gif and http://pcookie.cnzz.com/app.gif, they are website traffic service only.

See: https://www.virustotal.com/zh-tw/url/1c50edeabafe3e777944ed32fcb0fa7e2405ff0df65b115d21a0252a8727b54d/analysis/
None say malicious

IP check for 61.135.185.140 https://www.virustotal.com/zh-tw/ip-address/61.135.185.140/information/
hxxp://hm.baidu.com/h.js?700d27255db85d8e661e64a1d1078ddc look like the old name of this website

download file https://www.virustotal.com/zh-tw/file/cf4724b2f736ed1a0ae6bc28f1ead963d9cd2c1fd87b6ef32e7799fc1c5c8bda/analysis/
This is the same file as http://cnzz.mmstat.com/9.gif and http://pcookie.cnzz.com/app.gif

If cnzz is not being blocked now, is there any reason that this is blocked?

[polonus]

Hi rickyyeung,

Again one of your very interesting observations. Baidu dot com is not always safe and secure to use, read http://www.google.com/safebrowsing/diagnostic?site=baidu.com/
Now when we analyze the scriting of one of the links you reported, we see some suspicious code at:
http://jsunpack.jeek.org/?report=677aa2b4d5807cb6fd473abdaec78ff678727df9
Link above is for security research only, open with NoScript active and inside a VM/sanbox environment.
See: https://www.virustotal.com/nl/domain/tb1.bdstatic.com/information/
while the web rep is reasonably good. http://www.urlvoid.com/scan/tb1.bdstatic.com/
a variant of Android/SystemMonitor.A detected, but not by avast!

polonus

[polonus]

And what is this?

Code: [Select]

info: [decodingLevel=0] found JavaScript
     error: line:73: SyntaxError: missing ; before statement:
          error: line:73: ; <div class="hd"> <a class="tab tab active" data-tab="0" href="javascript:;">消息</a> <span>|</span> <a class="tab tab " data-tab="1" href="javascript:;">系统通知 </a></div><div class="
          error: line:73: ...^
     error: line:3: SyntaxError: missing = in XML attribute:
          error: line:3: <!DOCTYPE html><!--STATUS OK--><html><head><meta charset="UTF-8"><meta furl="tieba.baidu.com/f?kw=avast&ie=utf-8" fname="avast"><title>info: [decodingLevel=0] found JavaScript
     error: line:73: SyntaxError: missing ; before statement:
          error: line:73: ; <div class="hd"> <a class="tab tab active" data-tab="0" href="javascript:;">消息</a> <span>|</span> <a class="tab tab " data-tab="1" href="javascript:;">系统通知 </a></div><div class="
          error: line:73: ...^
     error: line:3: SyntaxError: missing = in XML attribute:
          error: line:3: <!DOCTYPE html><!--STATUS OK--><html><head><meta charset="UTF-8"><meta furl="tieba.baidu.com/f?kw=avast&ie=utf-8" fname="avast"><title>与360冲突，打开360浏览器老出现这个_avast吧_百度贴吧</title><script type="text/javascript">void functi
          error: line:3: ..............^</title><script type="text/javascript">void functi
          error: line:3: ..............^
What is the right translation into English for this "360 conflict etc. ?

polonus

[REDACTED]

And what is this?

Code: [Select]

info: [decodingLevel=0] found JavaScript
     error: line:73: SyntaxError: missing ; before statement:
          error: line:73: ; <div class="hd"> <a class="tab tab active" data-tab="0" href="javascript:;">消息</a> <span>|</span> <a class="tab tab " data-tab="1" href="javascript:;">系统通知 </a></div><div class="
          error: line:73: ...^
     error: line:3: SyntaxError: missing = in XML attribute:
          error: line:3: <!DOCTYPE html><!--STATUS OK--><html><head><meta charset="UTF-8"><meta furl="tieba.baidu.com/f?kw=avast&ie=utf-8" fname="avast"><title>info: [decodingLevel=0] found JavaScript
     error: line:73: SyntaxError: missing ; before statement:
          error: line:73: ; <div class="hd"> <a class="tab tab active" data-tab="0" href="javascript:;">消息</a> <span>|</span> <a class="tab tab " data-tab="1" href="javascript:;">系统通知 </a></div><div class="
          error: line:73: ...^
     error: line:3: SyntaxError: missing = in XML attribute:
          error: line:3: <!DOCTYPE html><!--STATUS OK--><html><head><meta charset="UTF-8"><meta furl="tieba.baidu.com/f?kw=avast&ie=utf-8" fname="avast"><title>与360冲突，打开360浏览器老出现这个_avast吧_百度贴吧</title><script type="text/javascript">void functi
          error: line:3: ..............^</title><script type="text/javascript">void functi
          error: line:3: ..............^
What is the right translation into English for this "360 conflict etc. ?

polonus

Hi polonus,

That is the topic of the post I found in baidu forum. It translate to "(Avast) conflict with 360 safe browser, eveytime opening it will give the alert", where the alert is mention in the first post here.
360 safe browser is a browser created by the same company as qihoo 360. The poster there seem to have a homepage that use baidu web traffic statistic. Avast is not actually conflict with 360 safe browser.

rickyyeung

[polonus]

Well all 360 software should be removed as it is conflicting with various resident av solution installations, this is true for Kaspersky's and avast!'s having conflicts with
360 Antivirus
360 Safe
360 Security Guard
Read http://esupport.trendmicro.com/en-us/home/pages/technical-support/internet-security/1061023.aspx
Again it seems this browser is incompatible with avast resident av solution.
So users have to completely uninstall these softwares and preferably also reboot before installing avast! av without it giving conflicts.
Conflicts could mean keyboard and mouse stop functioning, normal start-up routine and/or safemode routine no longer available.
Here is TrendMicro's support list for removing conflicting security software, I do not know as of now for a similar list for avast av, I would like it if some-one would come up with such a list.

Some software have compatibility declarations in their resp. EULA: http://www.trusteer.com/nl/support/compatibility-other-security-software

polonus

[REDACTED]

hxxp://hm.e.shifen.com/h.js?d0ad46e4afeacf34cd12de4c9b553aa6
URL:Mal

Just updated to avast 2015. Now I have received a lot of this . Look like it is undetected in the old version??
Or maybe something have changed
Just now I am getting this when I access http://www.7k7k.com/
I remember when I scan www.7k7k.com in urlquery, it use cnzz.mmstat.com/9.gif.
So it look like it is indeed the very same website traffic statistic code file.

By the way, is this an IP block? maybe this can be excluded from the block. It is not really malicious.

Edit: Hmm... not good in APEWS.org .
Oooops 61.135.185.140 is currently listed in APEWS
Entry matching your Query: E-357221
61.135.160.0/19
CASE: C-175
AS4808 CN, ISP permits abuse and/or ignores criminal activity
I remember what "criminal activity" could mean...
Is this valid?

Edit2: I've done some testing. This js code can be blamed for lagging my browser in chinese website. Look like it is continuously doing some work even though you just stay in that page. But I can't see what action the js code is doing. Is there malicious action?

[REDACTED]

Just updated to avast 2015
Im getting this same with http://www.tp-link.com/mx/

hxxp://hm.e.shifen.com/h.js?cd55cefb0cb4091d0ac79a94a82eeadb

[polonus]

Hi AvastN1,

I get a dns error there: WARNING: MX records duplicates (same IP address):
202.181.174.145: [nwt.inbound10.sentry-eds.com. nwt.inbound20.sentry-eds.com.]
59.188.18.158: [nwt.inbound10.sentry-eds.com. nwt.inbound20.sentry-eds.com.]
Although technically valid, duplicate MX records have no benefits and can cause confusion.
Code hick-up: wXw.googletagmanager.com/gtm.js?id=GTM-MJQKTD benign
[nothing detected] (element) wXw.googletagmanager.com/gtm.js?id=GTM-MJQKTD
     status: (referer=www.tp-link.com/common/js/stats.js)saved 24452 bytes 5a033fd0324f1a87c42dbe3802bc827dac7a43fc
     info: [decodingLevel=0] found JavaScript
     suspicious: exceeded runtime

The blocking could be based on a general IP block, see the IP badness history: https://www.virustotal.com/nl/ip-address/61.135.162.37/information/

Also for -hm.e.shifen dot com/h.js
I get [Errno 104]connection reset by peer> 

"Connection reset by peer" is the TCP/IP equivalent of slamming the phone back on the hook. It's more polite than merely not replying, leaving one hanging. But it's not the FIN-ACK expected of the truly polite TCP/IP converseur.

Quote credits: Bunyk, edited by Sam Rad.

The dreamhost.com DNS zone is currently having troubles, so most hostnames within this zone are not resolving.

There is up and active malware running from that website: -hm.e.shifen.com,61.135.185.140,,Criminals,
(result credits: Peter Kleissner's VirusTracker results).

polonus

[REDACTED]

There is up and active malware running from that website: -hm.e.shifen.com,61.135.185.140,,Criminals,
(result credits: Peter Kleissner's VirusTracker results).

This agree with the infomation in apews.org. So baidu just put their code in a bad IP

One more thing is that the following is also blocked:
htxp://click.hm.e.shifen.com/mkt.js
VT result: https://www.virustotal.com/zh-tw/url/0150beba3efba09b172fcd181c0ff9de92ab5bd1105a4bacda87c97610cf9b15/analysis/1415198868/

Different IP 123.125.112.49
Same reason of blocking in apews.org??

Oooops 123.125.112.49 is currently listed in APEWS
Entry matching your Query: E-357221
123.125.64.0/18
CASE: C-175
AS4808 CN, ISP permits abuse and/or ignores criminal activity

So one more question is that is this also true that criminal activity also happen on this IP?