Author Topic: False posite?  (Read 2417 times)

0 Members and 1 Guest are viewing this topic.

Klauwkikker

  • Guest
False posite?
« on: July 27, 2011, 07:15:20 PM »
Is this a false positive?
It is a welknown Dutch opinionsite.

Infection Details
URL:   http://xxx.joop.nl/fileadmin/template/inc/js/redirMobile-min.js|%3E{gzip}
Process:   file://C:\Program Files\Mozilla Firefox\firefox.exe
Infection:   html:Iframe-inf

xxx stands for www

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37507
  • Not a avast user
Re: False posite?
« Reply #1 on: July 27, 2011, 07:18:12 PM »
Sucuri say infected....

see attached screenshot


malware type
http://sucuri.net/malware/malware-entry-mwiframehd421
« Last Edit: July 27, 2011, 07:21:27 PM by Pondus »

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37507
  • Not a avast user
Re: False posite?
« Reply #2 on: July 27, 2011, 07:27:40 PM »
Filename:    redirMobile-min.js
 Status:    Scan finished. 2 out of 20 scanners reported malware.
http://virusscan.jotti.org/en/scanresult/c9e8b1cc2b524e7f963dfac40bdc6321b57ba3ec

VirusTotal - redirMobile-min.js - 4/43
http://www.virustotal.com/file-scan/report.html?id=bac3240d18bfa6194aa65701e799946bdad1a975fa069013652f584eb5d44965-1311787300

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: False posite?
« Reply #3 on: July 27, 2011, 09:12:40 PM »
Hi Klauwkikker & Pondus,

Scanned the IPframe redirect here: http://wepawet.iseclab.org/view.php?hash=52ee1c0c20d38b7edb071123b878a5aa&t=1311793379&type=js (malicious)
Exploit being abused is HPC URL   Help Center URL Validation Vulnerability - CVE-2010-1885;
see: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1885
Also see attachec source code for the url you provided,

polonus


« Last Edit: July 27, 2011, 09:14:13 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37507
  • Not a avast user
Re: False posite?
« Reply #4 on: July 28, 2011, 07:47:24 AM »
Quote
Is this a false positive?
It is a welknown Dutch opinionsite.

Norman analysis confirms the detection is correct
Quote
redirMobile-min.js : Processed - HTML/Iframe.KY