Author Topic: Maybe false positive  (Read 5527 times)

0 Members and 1 Guest are viewing this topic.

12-es_csaj

  • Guest
Maybe false positive
« on: September 02, 2010, 05:21:42 PM »
I had written into avast! blog before I registered here.
I am a member of a Hungarian forum where we discuss about antivirus products (unfortunately, they don't like avast). Few days ago, somebody put in the forum a link that Avira blocked. We saw the site, and only my avast! blocked it, Norton, Kaspersky, NOD32, Malwarebytes' Anti-Malware, F-Secure didn't. A guy sent the link to Avira, Avira analysed it, and answered: the site is clean.
But in avast! blog, somebody said me that the main site contains two malicious codes.
The site: http://www.cinober.hu/
Analysis from Virustotal's link-analyser:
Firefox   Clean site
Google Safebrowsing   Clean site
Opera   Clean site
ParetoLogic   Clean site
Phishtank   Clean site
Smartscreen   Clean site
TRUSTe   Clean site


Ps: Sorry, my English is not so good.  :-\

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37151
  • Not a avast user
Re: Maybe false positive
« Reply #1 on: September 02, 2010, 05:46:23 PM »
« Last Edit: September 02, 2010, 05:52:58 PM by Pondus »

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37151
  • Not a avast user
Re: Maybe false positive
« Reply #2 on: September 02, 2010, 05:47:54 PM »
Report   2010-09-02 17:52:04 (GMT 1)
Website   cinober.hu
Domain Hash   60510bf1f60fd3fd6285a0e42c01b775
IP Address   212.40.96.85 [SCAN]
IP Hostname   Kraeta.externet.hu
IP Country    HU (Hungary)
AS Number   12594
AS Name   EXTERNET-AS EXTERNET Autonomus System
Detections   1 / 17 (6 %)
Status   SUSPICIOUS
      
Scanning site with:   AMaDa     CLEAN
Scanning site with:   BrowserDefender     UNRATED
Scanning site with:   DNS-BH     CLEAN
Scanning site with:   Google Diagnostic     CLEAN
Scanning site with:   hpHosts     UNRATED
Scanning site with:   Malware Domain List     CLEAN
Scanning site with:   Malware Patrol     CLEAN
Scanning site with:   MyWOT     SUSPICIOUS
Scanning site with:   Norton SafeWeb     CLEAN
Scanning site with:   ParetoLogic URL Clearing House     CLEAN
Scanning site with:   PhishTank     CLEAN
Scanning site with:   SURBL     CLEAN
Scanning site with:   Threat Log     CLEAN
Scanning site with:   TrendMicro Web Reputation     CLEAN
Scanning site with:   URIBL     CLEAN
Scanning site with:   Web Security Guard     UNRATED
Scanning site with:   ZeuS Tracker     CLEAN
« Last Edit: September 02, 2010, 05:52:19 PM by Pondus »

12-es_csaj

  • Guest
Re: Maybe false positive
« Reply #3 on: September 02, 2010, 05:58:55 PM »
Thank you!
But is seems not a very dangerous malware because not too many antiviruses know it.

Altarir.

  • Guest
Re: Maybe false positive
« Reply #4 on: September 02, 2010, 06:02:34 PM »
But is seems not a very dangerous malware because not too many antiviruses know it.

what? it only means that malware is new or well-disguised.

also, 14/43 is quite A LOT of antiviruses

12-es_csaj

  • Guest
Re: Maybe false positive
« Reply #5 on: September 02, 2010, 06:43:48 PM »
It can't be new. The comment was written in 30th of August in the Hungarian forum which I mentioned.
There are lots of malicious codes that usually known by LOTS OF antiviruses (30 or higher), and avast often doesn't know them... :(

Offline DavidR

  • Avast √úberevangelist
  • Certainly Bot
  • *****
  • Posts: 87628
  • No support PMs thanks
Re: Maybe false positive
« Reply #6 on: September 02, 2010, 06:57:53 PM »
There is something very fishy about this page, first there is a huge chunk of obfuscated code at the start of the page, see image example, this goes on fro some way to the right and below.

Secondly there doesn't appear to be any conventional HTML coding for the page, all of the content appears to be imported using another obfuscated script tag. See image2 all of this is on a single line, which I have broken down to make it easier to view in the image.

See image3 which is the obfuscated script tag (in image2) and it generates no less than 3 iframe tags with a 1X1 pixel width and height, trying to hide. So all in all highly suspect. the 79.135.152.181 IP address to which these iframes point is in Latvia.

Thank you!
But is seems not a very dangerous malware because not too many antiviruses know it.

You will never know if it is dangerous or not as what is at the end of the targeted IP 79.135.152.181 could change on a daily or more frequent basis. What is being detected here is the exploitation and not the malware at the other end of the attack.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 23.4.6062 (build 23.4.8118.762) UI 1.0.762/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37151
  • Not a avast user
Re: Maybe false positive
« Reply #7 on: September 02, 2010, 06:58:12 PM »
VirusTotal - First seen: 2010-09-02 15:43:53

12-es_csaj

  • Guest
Re: Maybe false positive
« Reply #8 on: September 05, 2010, 02:17:59 PM »
The Virustotal's link analyser finds the site clean; but avast! blocks it... So no changes...

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37151
  • Not a avast user
Re: Maybe false positive
« Reply #9 on: September 05, 2010, 02:35:17 PM »
That is only the reputation scan, if you click the link on top " View Downloaded File Analysis " you get the analysis of the HTML file

VirusTotal - index.html - 13/43
http://www.virustotal.com/file-scan/report.html?id=804d9d86519aa0466c8bd74055f3e4a3619a78cf63263c0d8e9c0589a1ab6459-1283689794

NoVirusThanks - 9/16 - INFECTED
http://scanner2.novirusthanks.org/analysis/1e181fbbe4e3a6af3a0192c73a96d21e/aW5kZXg=/

VirScan - 12/36
http://virscan.org/report/df6e61f94ddfa5fcc7441401c3d0638c.html

Jotti's malware scan - 10/19
http://virusscan.jotti.org/en/scanresult/dfcc90d91989de0f53ac1a2f66d7b216d19eba27
« Last Edit: September 05, 2010, 03:15:31 PM by Pondus »