Author Topic: Site suspicious or not? - no, found malicious!  (Read 5449 times)

0 Members and 1 Guest are viewing this topic.

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Site suspicious or not? - no, found malicious!
« on: July 05, 2010, 08:58:17 PM »
Hi malware fighters,

This site is being flagged by unmasked parasites, and in google search results it says this site may harm your computer. What is the actual status of the site? wXw.maxconline.com/
http://wepawet.iseclab.org/view.php?hash=20979ca72d669e42862d3596ff6d17c1&t=1278355648&type=js
Trying to analyze the site with jsunpack and I get a trojan downloader alert from avast JS:Downloader-RW[Trj]

dumpcode of the site attached

polonus
« Last Edit: July 06, 2010, 07:20:04 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline superhacker

  • Avast Evangelist
  • Advanced Poster
  • ***
  • Posts: 979
  • superhacker != super mario
Re: Site suspicious or not?
« Reply #1 on: July 05, 2010, 09:40:25 PM »
I think it is a clear site.
we all do something wrong even google ;)
Dreams don't die, they just fall asleep.

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: Site suspicious or not?
« Reply #2 on: July 05, 2010, 09:45:22 PM »
Yep, Superhacker,

So that is the old dirt we see from block listing,

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline superhacker

  • Avast Evangelist
  • Advanced Poster
  • ***
  • Posts: 979
  • superhacker != super mario
Re: Site suspicious or not?
« Reply #3 on: July 05, 2010, 09:46:59 PM »
I dont like the idea of white listing and black listing but i like really testing ;D
Dreams don't die, they just fall asleep.

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: Site suspicious or not?
« Reply #4 on: July 05, 2010, 09:57:35 PM »
Hi superhacker,

You are so right, because both in whitelisting and blacklisting you always run after the facts, a site could be either just cleansed by the webmaster or the hosting provider, or the site could just the previous minute before been hacked by the malcoder and cybercriminal. With the infection patterns and toolkit automatic infection by script kiddies and tools to-day we never know where the malcoding sharks are, we can detect their tail fins and they can smell our blood but we did not yet have our hooks into the malware there, so we have to detect live code patterns online - <iframe scrolling="no" width="1" height="1" border
="0" frameborder="0" src="htxp://dsystem.serveirc for instance
Here is a google request for that type of iFrame malcode, where you may learn a lot, superhacker:
http://www.google.com/search?client=flock&channel=fds&q=%3Ciframe+scrolling%3D%22no%22+width%3D%221%22+height%3D%221%22+border+%3D%220%22+frameborder%3D%220%22+src%3D&ie=utf-8&oe=utf-8&aq=t

The man that knows how to search, you know now how valuable he is?

polonus

Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Goni

  • Guest
Re: Site suspicious or not?
« Reply #5 on: July 06, 2010, 05:33:09 PM »
Its not Clean ,
Avast detect : JS:Downloader-RW[Trj]

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: Site suspicious or not?
« Reply #6 on: July 06, 2010, 07:02:58 PM »
Hi Goni,

Detected here: http://www.google.com/safebrowsing/diagnostic?site=maxconline.com
You get the alert as you allow NS in the browser and it directs to:
htxp://presarioproductions.com/maxc and there the
JS:Downloader-RW[Trj] is found.... site
DrWeb URL checked: htxp://presarioproductions.com/maxc redirects to htxp://presarioproductions.com/maxc/

Checking: htxp://presarioproductions.com/maxc/Scripts/AC_RunActiveContent.js
File size: 3233 bytes
File MD5: db8f4e6949c0fc0fc9cadf85d02e099a

htxp://presarioproductions.com/maxc/Scripts/AC_RunActiveContent.js - Ok

Checking: htxp://presarioproductions.com/maxc/
Engine version: 5.0.2.3300
Total virus-finding records: 1541554
File size: 10.80 KB
File MD5: 9dd669feb48ef3b580cbbbe99d881a5e

hxtp://presarioproductions.com/maxc/ infected with JS.Redirector.64

partly unrated at URLVoid...but unmasked parasites found it suspicious at
    the last time on 2010-07-05.

    Malicious software includes 11 trojans, 10 exploits, 8 scripting exploits. Successful infection resulted in an average of 2 new processes on the target machine.

    Malicious software is hosted on 6 domains including kemidi.in/, which is a Latvia site with following threats:
 Threats found: 3
Here is a complete list:
Threat Name:    MSIE Java Deployment Toolkit Input Invalidation
Location:    htxp://kemidi.in/x/?src=sftmaster&id=qqq&o=o

   
Threat Name:    MSIE ADODB.Stream Object File Installation Weakness
Location:    htxp://kemidi.in/x/?src=kostes&id=media&o=o&ID=18254&fb=WVRveU9udHpPamc2SW5WelpYSmtZWFJoSWp0aE9qTTZlM002TWpvaWFXUWlPM002TmpvaU5ESTVNak0wSWp0ek9qRXlPaUpoWkhabGNuUnBjMlZmYVdRaU8zTTZOam9pTVRBMk56RTNJanR6T2pRNkltdHdjR2tpTzNNNk5Eb2lNalk0T1NJN2ZYTTZNem9pYldRMUlqdHpPak15T2lKaU0yRTNZakk0WWpNeFlUQTNNV1l5TldVNVpXUm1abVZrWmpObVltTXhZaUk3ZlE9PQ%3D%3D

   
Threat Name:    MSIE ADODB.Stream Object File Installation Weakness
Location:    htxp://kemidi.in/x/?src=kostes&id=media&o=o&ID=18254&fb=WVRveU9udHpPamc2SW5WelpYSmtZWFJoSWp0aE9qTTZlM002TWpvaWFXUWlPM002TmpvaU5EWTNNakkxSWp0ek9qRXlPaUpoWkhabGNuUnBjMlZmYVdRaU8zTTZOam9pTVRBMk56RTNJanR6T2pRNkltdHdjR2tpTzNNNk5Eb2lNVFF4T0NJN2ZYTTZNem9pYldRMUlqdHpPak15T2lKbVptWTBaV00xT1RsbU1XRTNZamMxWldGbFpUZzBZak5sTmpBeU1qWXlOQ0k3ZlE9PQ%3D%3D

dsystem.serveirc.com/, maybe cleansed now...
vipemu.in/.
Threats found: 1
Here is a complete list:
Threat Name:    MSIE Java Deployment Toolkit Input Invalidation
Location:    htxp://vipemu.in/x/?src=sftmaster&id=ust111&o=o

    1 domain appears to be functioning as intermediaries for distributing malware to visitors of this site, including dsystem.serveirc.com/.

    This site was hosted on 1 network(s) including AS26496 (PAH).

Has this site acted as an intermediary resulting in further distribution of malware?

    Over the past 90 days, wxw.presarioproductions.com appeared to function as an intermediary for the infection of 1 site including maxconline.com/.

see attached gif image
« Last Edit: July 06, 2010, 07:10:30 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!