Author Topic: Maybe false positive (Read 5814 times)

12-es_csaj · « **on:** September 02, 2010, 05:21:42 PM »

I had written into avast! blog before I registered here.
I am a member of a Hungarian forum where we discuss about antivirus products (unfortunately, they don't like avast). Few days ago, somebody put in the forum a link that Avira blocked. We saw the site, and only my avast! blocked it, Norton, Kaspersky, NOD32, Malwarebytes' Anti-Malware, F-Secure didn't. A guy sent the link to Avira, Avira analysed it, and answered: the site is clean.
But in avast! blog, somebody said me that the main site contains two malicious codes.
The site: http://www.cinober.hu/
Analysis from Virustotal's link-analyser:
Firefox   Clean site
Google Safebrowsing   Clean site
Opera   Clean site
ParetoLogic   Clean site
Phishtank   Clean site
Smartscreen   Clean site
TRUSTe   Clean site

Ps: Sorry, my English is not so good. $:-\$

Pondus · « **Reply #1 on:** September 02, 2010, 05:46:23 PM »

well it is not only avast that does not like it

VirusTotal - index.html - 14/43
http://www.virustotal.com/file-scan/report.html?id=e21609cfede5a09eadb3c5fb6faa50a92da92565d45f07bc841e4681f1aa3250-1283442233

Pondus · « **Reply #2 on:** September 02, 2010, 05:47:54 PM »

Report   2010-09-02 17:52:04 (GMT 1)
Website   cinober.hu
Domain Hash   60510bf1f60fd3fd6285a0e42c01b775
IP Address   212.40.96.85 [SCAN]
IP Hostname   Kraeta.externet.hu
IP Country    HU (Hungary)
AS Number   12594
AS Name   EXTERNET-AS EXTERNET Autonomus System
Detections   1 / 17 (6 %)
Status   SUSPICIOUS

Scanning site with:   AMaDa     CLEAN
Scanning site with:   BrowserDefender     UNRATED
Scanning site with:   DNS-BH     CLEAN
Scanning site with:   Google Diagnostic     CLEAN
Scanning site with:   hpHosts     UNRATED
Scanning site with:   Malware Domain List     CLEAN
Scanning site with:   Malware Patrol     CLEAN
Scanning site with:   MyWOT     SUSPICIOUS
Scanning site with:   Norton SafeWeb     CLEAN
Scanning site with:   ParetoLogic URL Clearing House     CLEAN
Scanning site with:   PhishTank     CLEAN
Scanning site with:   SURBL     CLEAN
Scanning site with:   Threat Log     CLEAN
Scanning site with:   TrendMicro Web Reputation     CLEAN
Scanning site with:   URIBL     CLEAN
Scanning site with:   Web Security Guard     UNRATED
Scanning site with:   ZeuS Tracker     CLEAN

12-es_csaj · « **Reply #3 on:** September 02, 2010, 05:58:55 PM »

Thank you!
But is seems not a very dangerous malware because not too many antiviruses know it.

Altarir. · « **Reply #4 on:** September 02, 2010, 06:02:34 PM »

Quote from: 12-es_csaj on September 02, 2010, 05:58:55 PM

But is seems not a very dangerous malware because not too many antiviruses know it.

what? it only means that malware is new or well-disguised.

also, 14/43 is quite A LOT of antiviruses

12-es_csaj · « **Reply #5 on:** September 02, 2010, 06:43:48 PM »

It can't be new. The comment was written in 30th of August in the Hungarian forum which I mentioned.
There are lots of malicious codes that usually known by LOTS OF antiviruses (30 or higher), and avast often doesn't know them...

DavidR · « **Reply #6 on:** September 02, 2010, 06:57:53 PM »

There is something very fishy about this page, first there is a huge chunk of obfuscated code at the start of the page, see image example, this goes on fro some way to the right and below.

Secondly there doesn't appear to be any conventional HTML coding for the page, all of the content appears to be imported using another obfuscated script tag. See image2 all of this is on a single line, which I have broken down to make it easier to view in the image.

See image3 which is the obfuscated script tag (in image2) and it generates no less than 3 iframe tags with a 1X1 pixel width and height, trying to hide. So all in all highly suspect. the 79.135.152.181 IP address to which these iframes point is in Latvia.

Quote from: 12-es_csaj on September 02, 2010, 05:58:55 PM

Thank you!
But is seems not a very dangerous malware because not too many antiviruses know it.

You will never know if it is dangerous or not as what is at the end of the targeted IP 79.135.152.181 could change on a daily or more frequent basis. What is being detected here is the exploitation and not the malware at the other end of the attack.

Pondus · « **Reply #7 on:** September 02, 2010, 06:58:12 PM »

VirusTotal - First seen: 2010-09-02 15:43:53

12-es_csaj · « **Reply #8 on:** September 05, 2010, 02:17:59 PM »

The Virustotal's link analyser finds the site clean; but avast! blocks it... So no changes...

Pondus · « **Reply #9 on:** September 05, 2010, 02:35:17 PM »

That is only the reputation scan, if you click the link on top " View Downloaded File Analysis " you get the analysis of the HTML file

VirusTotal - index.html - 13/43
http://www.virustotal.com/file-scan/report.html?id=804d9d86519aa0466c8bd74055f3e4a3619a78cf63263c0d8e9c0589a1ab6459-1283689794

NoVirusThanks - 9/16 - INFECTED
http://scanner2.novirusthanks.org/analysis/1e181fbbe4e3a6af3a0192c73a96d21e/aW5kZXg=/

VirScan - 12/36
http://virscan.org/report/df6e61f94ddfa5fcc7441401c3d0638c.html

Jotti's malware scan - 10/19
http://virusscan.jotti.org/en/scanresult/dfcc90d91989de0f53ac1a2f66d7b216d19eba27

Author Topic: Maybe false positive (Read 5814 times)

12-es_csaj

Maybe false positive

Pondus

Re: Maybe false positive

Pondus

Re: Maybe false positive

12-es_csaj

Re: Maybe false positive

Altarir.

Re: Maybe false positive

12-es_csaj

Re: Maybe false positive

DavidR

Re: Maybe false positive

Pondus

Re: Maybe false positive

12-es_csaj

Re: Maybe false positive

Pondus

Re: Maybe false positive