Author Topic: Again the great avast webshield protecting the user....  (Read 1942 times)

0 Members and 1 Guest are viewing this topic.

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33931
  • malware fighter
Again the great avast webshield protecting the user....
« on: January 15, 2012, 10:34:57 PM »
See: http://urlquery.net/report.php?id=16218
Avast webshield blocks the user from going there because of a trojan called JS:Redirector-KP[Trj]
See malware being logged here: http://sakrare.ikyon.se/log.php?id=22748

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37614
  • Not a avast user
« Last Edit: January 15, 2012, 10:50:40 PM by Pondus »

Dch48

  • Guest
Re: Again the great avast webshield protecting the user....
« Reply #2 on: January 15, 2012, 10:46:35 PM »
The Web Shield is actually the only one that catches things for me. Nothing ever gets as far where it would be detected by the file shield. The autosandbox has triggered a few times but only for unknown things that were actually safe. I would have to say that yes, the Avast Web Shield is in fact, great.

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33931
  • malware fighter
Re: Again the great avast webshield protecting the user....
« Reply #3 on: January 15, 2012, 11:00:37 PM »
Hi Pondus,

Why? Good question, my friend. Heuristical find and in the logs you read that it does not have any reliable address for "Moved Permanently",
see the code-link I give here for the offensive URL logged and look it up:
see: -http://jsunpack.jeek.org/?report=f4dffa024dd81d6cc9a133a59fe86394753e682a
Link given only for the security savvy, with ample script protection active and in a VM,
also consider this info: http://google.com/safebrowsing/diagnostic?site=mahasiddhatrading.com/

Again, Pondus, with your intruiging questions you have led polonus again to interesting additional background info for this malware, well done,

In the wepawet analysis the red link to: -http://android.womenthemanual.com/count
(the link that was not moved permanently, but actually "hidden" in clear sight
if we had looked a little closer. Good find, Pondus!!!)
avast webshield flag that url as infected with JS:Redirector-KP[Trj] as well...
Link is suspicious and found up by DrWeb's url checker when scanned
DrWeb purples it as being suspicious:
Checking: =http://wepawet.iseclab.org/view.php?type=js&hash=47735c2c8ffe3d1ce195510427139efc&t=1325777340
Engine version: 7.0.0.11250
Total virus-finding records: 2538276
File size: 67.55 KB
File MD5: bd2bf93c9859bc264df45b3154829811

=-http://wepawet.iseclab.org/view.php?type=js&hash=47735c2c8ffe3d1ce195510427139efc&t=1325777340 probably infected with SCRIPT.Virus
=-http://wepawet.iseclab.org/view.php?type=js&hash=47735c2c8ffe3d1ce195510427139efc&t=1325777340 - archive JS-HTML
>=-http://wepawet.iseclab.org/view.php?type=js&hash=47735c2c8ffe3d1ce195510427139efc&t=1325777340/JSTAG_1[10cc4][db] - Ok
>=-http://wepawet.iseclab.org/view.php?type=js&hash=47735c2c8ffe3d1ce195510427139efc&t=1325777340/JSTAG_2[10dc9][52] - Ok
So the wepawet analysis should also be used with appropriate protection measures in place..

pol
« Last Edit: January 15, 2012, 11:20:37 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!