Author Topic: false positives  (Read 4174 times)

0 Members and 1 Guest are viewing this topic.

arconreef

  • Guest
false positives
« on: July 01, 2010, 07:46:06 PM »
Avast has reported a virus at downthemall dot net. I completely trust this site, and I have gone to there before without any problems. It is possible that the website was hijacked, but if so I don't really care on this computer, because I don't use it for anything personal. How can I stop AVG from blocking this website?

ardvark

  • Guest
Re: false positives
« Reply #1 on: July 01, 2010, 08:15:39 PM »
Avast has reported a virus at downthemall dot net. I completely trust this site, and I have gone to there before without any problems. It is possible that the website was hijacked, but if so I don't really care on this computer, because I don't use it for anything personal. How can I stop AVG from blocking this website?

Hi...

An FP or hijacking is possible, although Online Link Scan reports the site as clean. I'm curious, how does AVG figure into this? Do you have a AVG product installed alongside avast?

Regards...
« Last Edit: July 01, 2010, 08:17:27 PM by ardvark »

arconreef

  • Guest
Re: false positives
« Reply #2 on: July 01, 2010, 08:25:56 PM »
Sorry, that was just an error on my part, I meant Avast...  :-X

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37161
  • Not a avast user
Re: false positives
« Reply #3 on: July 01, 2010, 08:28:27 PM »
NoVirusThanks - downthemall.net - 7/16 - INFECTED
http://scanner.novirusthanks.org/analysis/99bf7e26e01f850e178a025171b620ec/aW5kZXg=/

VirusTotal - downthemall.net - 11/41
http://www.virustotal.com/analisis/59ff8d452e248a4a84b7d35f397bac2439532d72ac3ccacee914f23726eebace-1278009099

This page seems to be <suspicious> 1 suspicious inline script found.
http://www.UnmaskParasites.com/security-report/?page=www.downthemall.net

I think someone have been " downthemall " and done some website tuning... :o
« Last Edit: July 01, 2010, 08:40:59 PM by Pondus »

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33582
  • malware fighter
Re: false positives
« Reply #4 on: July 01, 2010, 08:54:50 PM »
Hi arconreef, ardvark and Pondus,

Pondus, you are so right, because the site is suspicious, because of 1 suspicious inline script found,
see atttached gif image..
What has been found on that site is reported here: http://www.google.com/safebrowsing/diagnostic?site=downthemall.net
Reported as suspicious also here:
 http://wepawet.iseclab.org/view.php?hash=b015b380e12e4e866cab972801cec898&t=1278010699&type=js

Apparently the malcode comes from twitter,see: http://pastebin.com/mZ1JGhYF
but it is a Joomla malware script: http://www.google.com/support/forum/p/Webmasters/thread?tid=256902d9865b7cbd&hl=en
Joomla there was maliciously injected, my good anti-malware friends,
There is another suspicious hidden link there: pfgjmeepoxk.com/ld/goldmn  suspicious:
and the last time suspicious content was found on this site by google was on 2010-07-01.

    Malicious software includes 397 scripting exploits, 212 exploits, 26 trojans.

    This site was hosted on 66 networks including AS3269 (TELECOM), AS7132 (SBIS), AS7725 (COMCAST).

Has this site acted as an intermediary resulting in further distribution of malware?
Has this site hosted malware? See: http://amada.abuse.ch/?search=pfgjmeepoxk.com

    Yes, this site has hosted malicious software and it infected 13 domains, including lambdastreaming.com/, elbukanero.com/, trueblood-online.com/.



polonus
« Last Edit: July 01, 2010, 09:22:46 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33582
  • malware fighter
Re: false positives
« Reply #5 on: July 01, 2010, 09:33:29 PM »
Hi malware fighters,

Good news for you, giving in: htxp://pfgjmeepoxk.com/ld/goldmn/
Do not repeat this, it will give an avast flag for S:Prontexi-CG [Trj]
About this ad-poisoning malware the avast bloggers reported here
: http://blog.avast.com/2010/02/18/ads-poisoning-%E2%80%93-jsprontexi/

So I think we thoroughly analyzed this malware site.
Thanks, Pondus, for your malcode scanning contributions,
this really must make a difference for our users,

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37161
  • Not a avast user

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33582
  • malware fighter
Re: false positives
« Reply #7 on: July 01, 2010, 11:13:38 PM »
Hi malware fighters,

About that script there: htxp://webcache.googleusercontent.com/search?q=cache:ianycP-2efQJ:www.astalavista.com/index.php%3Fapp%3Dmailinglists%26do%3Dview%26mid%3D1%26id%3D90401+7FtuQd8!90%3B0!+0%3Bgy~t%3Fg%3Edg%3Edbu~tcKyMK%24M%3Eaeubi%3E|u~wdx%2Brbuq&cd=8&hl=en&ct=clnk
And the new malware wave: http://www.securityfocus.com/archive/1/511164/30/0/threaded

http://pastebin.com/mZ1JGhYF
Something in the obfuscated code translates to:
Code: [Select]
cc='%3c%5c%2fscript%3e';window["e"+""+/ signs of an attack site...

polonus

Hi malware fighters, what I prescribe in forthcoming cases, feed the obfuscated packed code here:
http://www.strictly-software.com/unpack-javascript.aspx
Now click unpack, then feed this into jsunpack with NS active in the browser, just for experts (code may spill or worse), now google initial part of code with google and read explanations of what it does (links from web application tool forums, security sites, etc.) now we will have a good idea what the code is aiming at and what the threat may be about, also if as there is here a malicious iFrame is involved, good hunting, folks,

D
« Last Edit: July 02, 2010, 12:14:07 AM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

ardvark

  • Guest
Re: false positives
« Reply #8 on: July 02, 2010, 02:28:30 AM »
NoVirusThanks - downthemall.net - 7/16 - INFECTED
http://scanner.novirusthanks.org/analysis/99bf7e26e01f850e178a025171b620ec/aW5kZXg=/

VirusTotal - downthemall.net - 11/41
http://www.virustotal.com/analisis/59ff8d452e248a4a84b7d35f397bac2439532d72ac3ccacee914f23726eebace-1278009099

This page seems to be <suspicious> 1 suspicious inline script found.
http://www.UnmaskParasites.com/security-report/?page=www.downthemall.net

Hi all...

Looks like I should have tried additional scanners. ::)

Regards...