Author Topic: url part clean part trojan  (Read 7754 times)

0 Members and 1 Guest are viewing this topic.

Offline ady4um

  • Massive Poster
  • ****
  • Posts: 2667
url part clean part trojan
« on: September 08, 2011, 02:52:53 PM »
I'd like to ask to more experienced users / forum members about some "not a definitive" URL suspect.

Virustotal shows the URL itself with 1 error, 1 infected, and several cleans, but when Virustotal scans the site's pages (index.html) it returns 17/44 infected with a trojan.

If this is a FP, then the number should eventually go down. If it is indeed infected, the number should go up. Instead, it keeps resulting in a "middle" number. Any clues? Is the specific trojan found of any importance under this situation?


BACKGROUND INFO:

I used some time ago an URL to download a certain tool. On that occasion, Avast didn't show any concerns about the specific URL.

For some time now, when I try to return to that same URL, Avast says there is a trojan and stops the connection to the site.

I have no relation to the site, so I don't have any way to confirm or deny the warning.

After several months, the site keeps being "banned" by Avast, with the same trojan.

If I download the tool using a direct link to the zip file, without opening the site on my web browser, then the file (the tool) can be downloaded and Avast scan on the file returns no problems/infections. Only the web site is triggering the warnings.

ADD/REMOVE PROGS -> avast -> CHANGE/REMOVE -> REPAIR & REBOOT
Avast! 7 FAQ | FAQ & KB | Docs | Removal Utils | Configure Mail Shield | report FP | License Registration | UNSECURED?

Offline Asyn

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 67440
    • >>>  Avast Forum - Deutschsprachiger Bereich  <<<
Re: url part clean part trojan
« Reply #1 on: September 08, 2011, 02:57:22 PM »
Share the llnks with us..! ;) (deactivated with hxxp)
Also post the VT results.
Win 8.1 [x64] - Avast PremSec 20.9.2435.Beta#3 [UI.575] - CC 5.73 - EEK - FF ESR 78.4 [NS/AOS/uBO/PB] - TB 78.4 - SB/CP/SL/DU.B
Deutschsprachiger Bereich -> Avast Wissenswertes (Downloads, Anleitungen & Infos): https://forum.avast.com/index.php?topic=60523.0

Offline ady4um

  • Massive Poster
  • ****
  • Posts: 2667
Re: url part clean part trojan
« Reply #2 on: September 08, 2011, 03:44:29 PM »
I want to make it clear that I don't have any relation to the original site.

My questions are more general than just for this particular case, but anyway, here are the details.

URL:
Code: [Select]
hXXp://erwan.l.free.fr/clonedisk/
hXXp://erwan.l.free.fr

hXXp://erwan.boot-land.net/clonedisk/
hXXp://erwan.boot-land.net

Virustotal analysis for the URL:
Code: [Select]
hXXp://www.virustotal.com/url-scan/report.html?id=f75a6e853bed5300695f16e75a0511e4-1315480441

Current Result of VT for the URL:
Quote
Websense ThreatSeeker: Malware site

Then click on "View downloaded file analysis" link, and you get to

Virustotal analysis for index.html:
Code: [Select]
hXXp://www.virustotal.com/file-scan/report.html?id=bc5d5fb8bfefc8a1cfaf8036c8aa574707d080746738a91ffc1d1b4f7637526a-1315487643

Current Result of VT for index.html:
Quote
(currently with 20/44, so it is a little higher now).

MD5: f9618fbbffca61e0eee2bc49822f4c07

The same happens to the parent folder, and also to the mirror website (the 4 locations I posted above in this same post).

I am not doubting about Avast's warning. My doubt is, why this is not completely identified by almost *all* scanners after months. It keeps being reported by, say, around half of the listed engines, during a long time.

And, as mentioned, the zip file can be downloaded directly and Avast is OK with it (I haven't posted here the direct link to it though).

Thanks for sharing your knowledge :).
ADD/REMOVE PROGS -> avast -> CHANGE/REMOVE -> REPAIR & REBOOT
Avast! 7 FAQ | FAQ & KB | Docs | Removal Utils | Configure Mail Shield | report FP | License Registration | UNSECURED?

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 36760
Re: url part clean part trojan
« Reply #3 on: September 08, 2011, 04:13:48 PM »
The URL scan is just a reputation scan, it is checking the URL against some list to see if it is listed as bad.
This can be totally clean but the website may still be infected

Offline ady4um

  • Massive Poster
  • ****
  • Posts: 2667
Re: url part clean part trojan
« Reply #4 on: September 08, 2011, 04:44:18 PM »
The URL scan is just a reputation scan, it is checking the URL against some list to see if it is listed as bad.
This can be totally clean but the website may still be infected

Interesting, thanks. Now, that's for the URL scan, but see that the file scan is the one that I'm more interested in, not just for this particular case.

I want to understand why the file scanners are not reporting a clear tendency.

For a new malware, low percentages might be expected, as with a FP. But for a malware that is not so new, either the webmaster can solve the problem (and the percentage decreases again), or the tendency would be for *all* engines to find it.

For a FP, the tendency on the long run would be also to low percentages, since I assume not "each and every" scan engine will detect the index.html files as FP at the same time, and the FP would be corrected eventually.

In case the webmaster fails to solve the problem (he doesn't even know the site was hacked), then *all* the engines would tend to report malware on the long run.

The same trojan is found in the 4 index.html files (of the above 4 addresses) and this is the situation for months, but not for *all* engines.

So, having values between, say, 10/44 to 30/44 during long periods of time (months) is what sounds strange to me.
ADD/REMOVE PROGS -> avast -> CHANGE/REMOVE -> REPAIR & REBOOT
Avast! 7 FAQ | FAQ & KB | Docs | Removal Utils | Configure Mail Shield | report FP | License Registration | UNSECURED?

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 36760
Re: url part clean part trojan
« Reply #5 on: September 08, 2011, 05:04:20 PM »
also i think to be listed as bad it must have been infected over some time...or been used in distributing malware


The VT scan you posted is only one week old
http://www.virustotal.com/file-scan/report.html?id=bc5d5fb8bfefc8a1cfaf8036c8aa574707d080746738a91ffc1d1b4f7637526a-1315493909

First seen: 2011-09-02 08:29:52
Last seen : 2011-09-08 13:34:33
« Last Edit: September 08, 2011, 05:18:53 PM by Pondus »

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 32773
  • malware fighter
Re: url part clean part trojan
« Reply #6 on: September 08, 2011, 05:04:40 PM »
Hi ady4um & Pondus,

Here I scanned and found infected: http://vscan.urlvoid.com/analysis/f9618fbbffca61e0eee2bc49822f4c07/Y2xvbmVkaXNr/
In contradiction to: http://siteinspector.comodo.com/public/reports/318028
But there is one suspicious inline script found here:
http://www.unmaskparasites.com/web-page-options/?url=http%3A//erwan.l.free.fr/clonedisk/&susp=1
found XSS attack crawler long suspicious inline javascript, usually found to be malware, see discussion here: http://www.google.com/support/forum/p/Webmasters/thread?tid=4cf32ea2a7d0a5ed&hl=en (link answer from cristina contributor to support-Webmasters-forum)

polonus
« Last Edit: September 08, 2011, 05:27:45 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 83965
  • No support PMs thanks
Re: url part clean part trojan
« Reply #7 on: September 08, 2011, 05:14:55 PM »
You can't compare the two as they are unique, the URL scan isn't a live scan, but a check against a database and the file scan is effectively a live scan of the file. When comparing against a database, then that lives or dies on how up to date that database and some are woefully out of date.

The URL scan should also go on and do a scan of the index.htm file (home page), etc. which should give a better indication, but that too is only a single file.

@ Pol
Is there a reason for the 23 blank lines at the end of your post ?
Windows 10 Home 2004 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 20.8.2432 (build 20.8.5684.602) UI-1.0.566/ WinPatrol+/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 32773
  • malware fighter
Re: url part clean part trojan
« Reply #8 on: September 08, 2011, 05:33:34 PM »
Hi DavidR,

The posting is now more like it was meant. The scans I did was the real URL scan at urlvoid, giving the results. Unmask parasite result also very recent results. What is hindering me in scanning is the mix up of non actual third party blocking data with real time actual malscript scan results,

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 83965
  • No support PMs thanks
Re: url part clean part trojan
« Reply #9 on: September 08, 2011, 05:50:04 PM »
That's better, I though it was missing an image at first ;D

Yes, my comments were about the VT URL scan and reference to some so called site inspector databases, etc.
« Last Edit: September 08, 2011, 05:51:39 PM by DavidR »
Windows 10 Home 2004 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 20.8.2432 (build 20.8.5684.602) UI-1.0.566/ WinPatrol+/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline ady4um

  • Massive Poster
  • ****
  • Posts: 2667
Re: url part clean part trojan
« Reply #10 on: September 08, 2011, 05:58:46 PM »
The VT scan you posted is only one week old

To be clear:

First, I don't think that the owner of the site is knowingly spreading malware. Either it is a FP (I don't think so), or it was hacked a few months ago (and still is).

Second, I tried this site many months ago, and Avast was fine with it. But for months now Avast reports it as infected. The VT check is from this week, yes, but I have been seeing Avast's warnings about the site for months now.

You can't compare the two as they are unique

@DavidR, I didn't understand you. Which comparison? Were you referring to my post?

@polonus, my apologies but I don't understand the exact details about the specific trojan, or whatever malware is there, or if this is all a FP (and I'm fine with this "not-understanding the details").

As I said, I am just trying to understand why the percentage of engines in VT has no clear tendency, either to fall down or to cover almost all of them, being a known trojan (not "new" situation). This is beyond the specific case I presented.
ADD/REMOVE PROGS -> avast -> CHANGE/REMOVE -> REPAIR & REBOOT
Avast! 7 FAQ | FAQ & KB | Docs | Removal Utils | Configure Mail Shield | report FP | License Registration | UNSECURED?

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 83965
  • No support PMs thanks
Re: url part clean part trojan
« Reply #11 on: September 08, 2011, 06:26:40 PM »
You were referring the the VT URL scan from Pondus that you quoted, weren't you and that being my assumption was what I posted about.
Windows 10 Home 2004 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 20.8.2432 (build 20.8.5684.602) UI-1.0.566/ WinPatrol+/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 36760
Re: url part clean part trojan
« Reply #12 on: September 08, 2011, 06:36:03 PM »
maybe you could ask VT ?  info@virustotal.com

Offline ady4um

  • Massive Poster
  • ****
  • Posts: 2667
Re: url part clean part trojan
« Reply #13 on: September 08, 2011, 06:51:03 PM »
You were referring the the VT URL scan from Pondus that you quoted, weren't you and that being my assumption was what I posted about.

Well, *I* was the one that posted the link to the URL scan, and *Pondus* stated that the URL is not a real "scan" but only a comparison against user reports (or something like that).

The part that I am interested in is the 4 index.html files giving a middle percentage value. In fact, I am interested in the middle percentage value, much more than my interest in the 4 files.

maybe you could ask VT ?  info@virustotal.com

I don't think this is related to VT. This is more related to the engines, how (in terms of time distribution) the trojans are detected across different engines, and somehow related to maths and statistics.

I could understand other percentage tendencies (as I presented in a previous post), but I don't understand the "middle" values staying there for a long time.

I was (am) hopping that forum members with more experience than I might have seen this type of situations in the past, so the current "middle" situation could be explained somehow.
ADD/REMOVE PROGS -> avast -> CHANGE/REMOVE -> REPAIR & REBOOT
Avast! 7 FAQ | FAQ & KB | Docs | Removal Utils | Configure Mail Shield | report FP | License Registration | UNSECURED?

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 36760
Re: url part clean part trojan
« Reply #14 on: September 08, 2011, 07:42:01 PM »
Quote
I don't think this is related to VT. This is more related to the engines, how (in terms of time distribution) the trojans are detected across different engines, and somehow related to maths and statistics.
yea...but those working at VT work with malware....so they may be able to give you the answer