Author Topic: Threat Blocked by Avast (Read 8500 times)

REDACTED · « **on:** March 15, 2016, 10:48:30 AM »

Today I encountered a threat block by avast, I got quite paranoid since I did not open anything except a website called Ink361 that I just used to view an "instagram profile". The threat blocked was by a url from: "purehotcompany.xyz", infection: URL:MAL might it be a malicious ad that was parked there and was gone afterwards? since I refreshed the page for about an hour nothing else has come up and I know that Ink361 is a legitimate website.

Any Input would be appreciated.

Thanks and Cheers!

Zinedane

polonus · « **Reply #1 on:** March 15, 2016, 11:52:55 AM »

Avast detects a malicious loader from that IP address and flags this as Win32:Evo-gen [Susp], re: https://www.virustotal.com/nl/ip-address/188.112.149.14/information/
Re: http://urlquery.net/report.php?id=1458038006833 & https://sitecheck.sucuri.net/results/purehotcompany.xyz
and https://www.spamhaus.org/query/domain/purehotcompany.xyz
Do not panic as the detection means a suspicious file only.

polonus

REDACTED · « **Reply #2 on:** March 15, 2016, 02:47:25 PM »

My question is why there was suddenly a threat block caused by that specific url while I didn't even visit the site..

Pondus · « **Reply #3 on:** March 15, 2016, 02:53:14 PM »

on Ink361 there are ads, so most likely purehotcompany.xyz belongs to a blacklisted ad URL

Or it may is or have been infected, this is what Sophos say
"Access to this page is blocked as the threat Mal/HTMLGen-A has been found on this website."

https://www.virustotal.com/en/url/8512ad0a1951dfbd08fcdcf4138ddfd918e1ea2abf117c73f258b8b3640d7bf7/analysis/1458049533/

Pondus · « **Reply #4 on:** March 15, 2016, 03:05:28 PM »

it seems the IP just containe crap ad/sales websites as indicated by there names
https://www.virustotal.com/en/ip-address/213.102.25.54/information/

click more button under list(s) for more info

REDACTED · « **Reply #5 on:** March 16, 2016, 12:23:40 AM »

Quote from: Pondus on March 15, 2016, 02:53:14 PM

on Ink361 there are ads, so most likely purehotcompany.xyz belongs to a blacklisted ad URL

Or it may is or have been infected, this is what Sophos say
"Access to this page is blocked as the threat Mal/HTMLGen-A has been found on this website."

https://www.virustotal.com/en/url/8512ad0a1951dfbd08fcdcf4138ddfd918e1ea2abf117c73f258b8b3640d7bf7/analysis/1458049533/

so it's what caused the threat block correct? that Ink361 had a blacklisted ad url or it may have been infected by one at that time?

polonus · « **Reply #6 on:** March 16, 2016, 01:25:11 AM »

Spam Haus states the site, -purehotcompany.xy, is listed in the DBL
so the website blocked for a reason.

When this threat was blocked by Avast you should be OK, no malcode could have had any effect onto your device,
as Avast even prevented your computer from connecting there. Avast has saved your glorious b°h°nd.

polonus

REDACTED · « **Reply #7 on:** March 16, 2016, 01:29:56 AM »

Quote from: polonus on March 16, 2016, 01:25:11 AM

Spam Haus states the site, -purehotcompany.xy, is listed in the DBL
so the website blocked for a reason.

When this threat was blocked by Avast you should be OK, no malcode could have had any effect onto your device,
as Avast even prevented your computer from connecting there. Avast has saved your glorious b°h°nd.

polonus

Yes and I thank avast for doing that, however i'm curious as to what caused it as I did not visit the said site. could it have been an ad on Ink361? that's my main question.

REDACTED · « **Reply #8 on:** March 17, 2016, 12:43:09 AM »

still boggled, did not quite understand the answers

polonus · « **Reply #9 on:** March 17, 2016, 12:58:36 AM »

In plain words the answer means that when Avast blocks a threat, the malware could not have made contact with your computer,
and that you had a lucky escape. Avast protected you from a malware infection! You are safe and secure!

polonus

The cause is a so-called redirect to a malware website when you visit site A that has hidden redirectcode to a malcoded site B (the site you claimed you never clicked, and you did not, but were brought there by infection) you can infested, you never willfully clicked that website but you were directed there through probably hidden obfuscated malcode. Site A could not be aware malcreants have added such a malicious hidden redirect to their website, but Avast detected it and made you could not go there by blocking it. It is a bit sinister story but malcreants work in such hideous ways to infest the unaware and those without protection from Avast.

Damian

REDACTED · « **Reply #10 on:** March 17, 2016, 01:10:18 AM »

Now i get it, Thank you!

would avast also block infected or blacklisted ads? such as Pondus suggested?

polonus · « **Reply #11 on:** March 17, 2016, 01:26:40 AM »

In quite some instances it does, but I would run no risk whatsoever and install a good adblocker like uBlock in the browser.
With all the malicious adware around you cannot live without a decent adblocker now.
On Android I would surf as a ´two-staged rocket´ first install these two apps: Tap&Trust and AdblockBrowser. Now when you have entered your search query in the search bar on the Smartphone first click Tap&Trust and then click AdblockBrowser and your search results will open up without any ads.

polonus

REDACTED · « **Reply #12 on:** March 17, 2016, 01:37:59 AM »

That's really good to know especially since I also use search on my mobile!

would an ad blocker work with my added extensions avast online security and my web of trust though?

I have already reported the instance to Ink361's support as I think it might have been a 1/1000 instance of a bad ad or rather a bad redirect on their page since virustotal shows nothing wrong/suspicious with their website.

polonus · « **Reply #13 on:** March 17, 2016, 01:01:42 PM »

Yep it will work.

pol

Pondus · « **Reply #14 on:** March 17, 2016, 01:51:58 PM »

Quote

since virustotal shows nothing wrong/suspicious with their website.

VirusTotal does not scan websites for infections, it is checking URL against a number of blacklists

The ad URL purehotcompany.xyz is blacklisted
https://www.virustotal.com/en/url/8512ad0a1951dfbd08fcdcf4138ddfd918e1ea2abf117c73f258b8b3640d7bf7/analysis/1458219315/

It also seems to be taken down > http://www.downforeveryoneorjustme.com/http://purehotcompany.xyz/

To scan a website after a VT scan, click "additional information" tab and scroll down to bottom
Click on the Sucuri or Quttera links for website scanning

For scanning website with VT you need to get the html code and upload that to VT as a file