Author Topic: Bot action from site not detected by avast shield (Read 4941 times)

polonus · « **on:** April 05, 2010, 11:44:34 PM »

Hi malware fighters,

When visiting here: htxp://scforum.info/ (protected through NoScript and RequestPolicy on)
Wepawet report: http://wepawet.iseclab.org/view.php?hash=dd0517fb2bd1973af580c9e0fd01e5c9&t=1270505213&type=js
warning there : "The analyzed resource uses an unknown script language (unspecified/VBScript)
This may affect the detection of malicious code"
however I got an alert from RUBotted. Activity detected.
I looked up the site at unmasked parasites and got:
This page seems to be <suspicious>
1 suspicious inline script found.
1 hidden external link found.
The suspicious inline script see picture
Is this a Joomla! googleanalytics hack for s10.histats.com,
which is malicious; the last time suspicious content
was found on this site was on 2010-03-09.
Here the histats site is found to be clean: http://scanner.novirusthanks.org/analysis/8cf8463b34caa8ac871a52d5dd7ad1ef/aW5kZXg=/

Malicious software includes 15 exploits, 10 trojans.

This site was hosted on 2 network(s) including AS36351 (SOFTLAYER), AS13867 (CNET).
Yes, this site has hosted malicious software over the past 90 days. It infected 35 domain(s), including pageantport.com/, thaiweddingfair.com/, gallerygalore.net/(last 2 seems cleansed sites now)

pageantport however is malware ridden:

Small-whitebg-red    Drive-By Downloads

Threats found: 128
Here is a sample:
Threat Name:    HTTP Malicious Toolkit IFrame Injection
Location:    hxtp://www.pageantport.com/oldboard/viewforum.php?f=48&st=0&sk=t&sd=d&sid=cfd64de922b6cfc3411ccc96951a3071&start=90


Threat Name:    HTTP Malicious Toolkit IFrame Injection
Location:    hxtp://www.pageantport.com/oldboard/viewforum.php?f=48&st=0&sk=t&sd=d&sid=cfd64de922b6cfc3411ccc96951a3071&start=135


Threat Name:    HTTP Malicious Toolkit IFrame Injection
Location:    hxtp://www.pageantport.com/oldboard/viewforum.php?f=48&start=0&sid=cfd64de922b6cfc3411ccc96951a3071


Threat Name:    HTTP Malicious Toolkit IFrame Injection
Location:    hxtp://www.pageantport.com/oldboard/viewforum.php?f=48&sid=92cb43a3063d0ae7b53df1878e7455aa


Threat Name:    HTTP Malicious Toolkit IFrame Injection
Location:    hxtp://www.pageantport.com/oldboard/viewforum.php?f=48&st=0&sk=t&sd=d&sid=cfd64de922b6cfc3411ccc96951a3071&start=45


Threat Name:    HTTP Malicious Toolkit IFrame Injection
Location:    hxtp://www.pageantport.com/oldboard/viewforum.php?f=28&st=0&sk=t&sd=d&sid=5b86779067c7e3a7f1cdfb207613ee2a&start=45


Threat Name:    HTTP Malicious Toolkit IFrame Injection
Location:    hxtp://www.pageantport.com/oldboard/viewforum.php?f=59&sid=5e782162437aa7a4abc0b8ef91b84ccb


Threat Name:    HTTP Malicious Toolkit IFrame Injection
Location:    hxtp://www.pageantport.com/oldboard/cron.php?cron_type=tidy_search&sid=c403aef2b080e2a6aa48d7276c24573c


Threat Name:    Direct link to HTTP Malicious Toolkit IFrame Injection
Location:    hxtp://www.pageantport.com/oldboard/viewforum.php?f=28&sid=9f295b7b94c7c08fc57311d554c7da2d


Threat Name:    Direct link to HTTP Malicious Toolkit IFrame Injection
Location:    hxtp://www.pageantport.com/oldboard/viewforum.php?f=51&sid=724fbe5f01ea02c45ddeddbba3c35e75

polonus

DavidR · « **Reply #1 on:** April 06, 2010, 12:22:31 AM »

Send an email in the normal way to virus (at) avast (dot) com no sample is required, a link to this topic might help and 'undetected malware - Network Shield malicious site' in the subject.

polonus · « **Reply #2 on:** April 06, 2010, 12:33:07 AM »

Hi DavidR,

I have sent it according your instructions. I think this site is suspicious:
http://www.siteadvisor.com/sites/histats.com/summary/

Damian

DavidR · « **Reply #3 on:** April 06, 2010, 12:36:30 AM »

Hopefully it will be promptly added.

Oops, I forgot to mention the obvious, to give the URL in the body of the email, which presumably you did.

polonus · « **Reply #4 on:** April 06, 2010, 12:54:54 AM »

Hi DavidR,

I gave all details in the mail but I made the addresses non-readable like in malware dot com
for instance.
What they did is use a googleanalytics hack that made loads of victims not so long ago
on histats dot com, a similar ad tracking site like googleanalytics,
to be able to serve victims up with a nasty Generic PWS.y trojan
through a HTTP Malicious Toolkit IFrame Injection.
We certainly are getting better at analyzing this,
I hope the folks at histats dot com have cleansed it from their site,
else the avast folks have to add it to their detection,
well suspicious is suspicious and that should not be there period,

polonus

armando38 · « **Reply #5 on:** May 14, 2010, 02:31:14 PM »

FYI, SCforum.info is a well known Security Forum.

This Month this guys have 3rd Anniversary Contest with Sponsored Awards from BitDefender, Panda Security & SUPERAntiSpyware: http://www.scforum.info/index.php?topic=4136.0

There is no chance that it's infected with some Malware.

Author Topic: Bot action from site not detected by avast shield (Read 4941 times)

polonus

Bot action from site not detected by avast shield

DavidR

Re: Bot action from site not detected by avast shield

polonus

Re: Bot action from site not detected by avast shield

DavidR

Re: Bot action from site not detected by avast shield

polonus

Re: Bot action from site not detected by avast shield

armando38

Re: Bot action from site not detected by avast shield