trojan blocked on anonymizer search

[Hermite15]

good job, that's what I got after launching a Google search (just the search, not even trying to access the site) on anonymouse---org
hxxp://anonymouse.org/ >>> see screenshot

 While google shows clearly that the site is not clean http://www.google.com/safebrowsing/diagnostic?site=http://anonymouse.org/

Virus total, through an URL analysis, doesn't show anything, even from Google
http://www.virustotal.com/url-scan/report.html?id=71c0698842c8d082c1d97074a42e7f10-1285406960

 >>> but the VT file analysis (index.html) of the URL shows clearly some avast detection ( click on "view downloaded file analysis)


avast web shield report:

Code: [Select]

9/25/2010 1:22:49 PM hxxp://www.google.com/url?sa=t&source=web&cd=1&ved=0CBUQFjAA&url=http%3A%2F%2Fanonymouse.org%2F&rct=j&q=anonymouse&ei=g9udTMycDY7P4gb42KCxDg&usg=AFQjCNHGeNAbEwe0WtZNVSGNyHofacr0vA|>{gzip} [L] JS:ScriptIP-inf [Trj] (0)

[Hermite15]

just to post the google safe browsing details:

Safe Browsing
Diagnostic page for anonymouse.org

What is the current listing status for anonymouse.org?
This site is not currently listed as suspicious.

What happened when Google visited this site?
Of the 99 pages we tested on the site over the past 90 days, 4 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2010-09-24, and the last time suspicious content was found on this site was on 2010-09-09.
Malicious software includes 5 exploit(s), 2 trojan(s).

Malicious software is hosted on 2 domain(s), including buyviagratoday.com/, bestgamer.servegame.org/.

This site was hosted on 1 network(s) including AS29066 (VELIANET).

[DavidR]

I think there is something else going on in this search, than just a search as there is a compressed javascript file involved (see image), so I don't know why all this gubbins would be behind your search string.

If the google search tries in any way to across the site then it would bump into the Network Shield as currently the is blocked by it. But this seems to have bypassed the network shield check in the google search.

Re, the google safe browsing, because of the nature of this site there are going to be people using it to hide what they are doing and it may get flagged by association.

However, in your reply in another topic (http://forum.avast.com/index.php?topic=64315.msg543760#msg543760), the avast virus labs have acknowledged an FP, based on the actual site alone and are to correct it.

I did a google search on anonymouse.org (only this and no http :// or www .) whilst investigating in the other topic and I got no alert on the google search in firefox 3.6.10.

[Hermite15]

nature of the site or not, how does Google come up with 5 exploits and 2 trojans

[DavidR]

I don't know how google goes about its work. URLVoid has one of its references as something detected, but not the rest, http://www.urlvoid.com/scan/anonymouse.org.

The strange thing is that the the VT link you gave doesn't show anything from google (and the file analysis with avast and gdata, was the FP talked about in the other topic). So my only reasoning would be that this is a current value, whilst the google safe browsing is also reporting historical information, see quote, relevant parts highlighted by me.

Of the 99 pages we tested on the site <b>over the past 90 days</b>, 4 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2010-09-24, and the last time suspicious content was found on this site was on 2010-09-09.

The avast VPS update for today 100925-0 corrects this detection.

[Hermite15]

The strange thing is that the the VT link you gave doesn't show anything from google

yeah I know, that's why I mentioned it...

[Hermite15]

okay Avast removed it from the vps, but I still have doubts...

[Hermite15]

yeah I was thinking about what Google uses as AV, Trend Micro, and just noticed in the comment of VT that someone mentions there that Trend Micro blocked anonymouse.

[DavidR]

Well it is only trend micro that flags it in the URLVoid results I posted, so there is a link there.