Confused about a website warning message

[Muad'Dib]

While browsing, I tried to go to the following site (all URLs posted below have been edited to make them non-clickable): hXXp://www.gogglesandglasses.com/PRODUCT_REVIEWS.html

At which point access to the site was blocked and I received the following avast! pop-up:

MALICIOUS URL BLOCKED
avast! Network Shield has blocked a harmful site.

Object: hXXp:/.../PRODUCT_REVIEWS.htmlei=25Ugfq3H5c
Infection: URL:Mal
Process: G:\Filseclab\xfilter\xfilter.dll

The "More details" link told me this:

Infection Details
URL:   hXXp://4918.southwestdiscus.com/url?sa
Process:   file://G:%5CFilseclab%5Cxfilter%5Cxfilter.dll
Infection:   url:Mal

Filseclab is a firewall I've used for years, and have never had avast! mention it in all the times I've run both on the same system.

Here's what's confusing about this message:

• I'm pretty sure I've been to this site before without any warnings.
• WOT rates the site totally safe (though with not many people rating it).
• I have NoScript 2.3.4 running and except for googleapis.com, the site was "completely" blocked (only gogglesandglasses.com and statcounter.com showed up in the NoScript button, and both were blocked). Also Adblock Plus 2.0.3 (with it's Pop-up Addon) are running as well.
• A few minutes later, I went to the site again (maybe dumb, but if avast! blocked me once, it should do it again), but the error did not pop-up this time (I had not changed any permissions).
• Viewing the source code to the site, I don't see either the string "25Ugfq3H5c" (from the warning), nor "southwestdiscus" (from the More Details page).

I realize none of the above is any guarantee of this being a safe site, but combined, I'm just wondering if there was some glitch that caused the pop-up, or am I missing something obvious here?

Is this actually some conflict between avast! and Filseclab and not related to the website at all? If so, what might cause this conflict now? Filseclab hasn't been updated in years (the developer doesn't exist anymore), and other than a definitions update (120325-0), I'm still running avast 6.0.1367.

I still have the website source code as a text file if there's anything else I can look for.

I'd like to be able to visit the site and not worry that I'm risking obvious exposure, but I want to understand this avast! warning a bit more first.

BTW, I'm running Windows XP Pro.

[Hellion]

Hi Muad'Dib,

I checked out the site and it's definitely clean. (verified by urlvoid and Virustotal)

By what your saying it sounds like that firewall you are using is obsolete, you might want to change to something else, but that is a bit drastic if your current setup is working for you.

A better solution would be to add your firewall process to the exclusion list in the webshield and fileshield.

[kls490]

Good morning,

     Just an additional note here about the gogglesandglasses.com website.  When I attempted to access that site, Avast! also generated a block alert.

Be aware also that the hosts-file.net website has the following warning regarding the site:

WARNING: The IP PTR associated with this record, does not resolve back to it's original IP address. This is very bad practice.

Original: 208.84.117.158
PTR: galaxy.hosting4less.com.
PTR IP: 208.84.112.17

I do not use the same firewall referenced in the OP.  I believe the issue with whether the site is safe or not deserves more in-depth review.  (I have attempted to visit the site 4 times now and each time Avast! is blocking access).

Regards,

[c_APT_ure]

hi all

if you read my blog posts about the ponmocup malware you'll learn that the web server is indeed infected (.htaccess file) and that services like virustotal and urlvoid are totally ineffective to detect this type of infection on web servers.
however, urlquery.net is able to verify the redirection to malware domains, but doesn't recognize it as malicious or suspicious (yet) i think.

http://c-apt-ure.blogspot.ch/2012/03/ponmocup-lots-changed-but-not-all.html
http://c-apt-ure.blogspot.ch/2012/02/not-apt-but-nasty-malware-ponmocup.html
http://c-apt-ure.blogspot.ch/2012/04/hunting-ponmocup-botnet.html

just because some service or security product says it's clean or safe doesn't always mean that's true. i've discovered new malware with zero detection on virustotal when i first checked.
http://contagiodump.blogspot.ch/2010/08/cve-2009-3867-cve-2008-5353-java-low.html

stay safe!

cheers,
@c_APT_ure

[Pondus]

that services like virustotal and urlvoid are totally ineffective to detect this type of infection on web servers

virustotal and urlvoid does not scan for website malware..... they check the url reputation



try these
zulu analyzer.  http://zulu.zscaler.com/
sucuri.  http://sucuri.net/
novirusthanks.  http://vscan.novirusthanks.org/.   select "scan web address"



and latest results for the samples at contagio
https://www.virustotal.com/file/3ab2dd42406dc92e157ad10ae51fd4a05fa2db0787179b9e5a50e4571964be78/analysis/

https://www.virustotal.com/file/41d5826e1c8eae1d8d10e9f3cc5e1fe9e96b17039a3976aabaa21d533b9b859a/analysis/

[!Donovan]

Pondus is right. I check websites with various resources I have depending on the type of infection. Sometimes I may search for IP Blacklists, other times code scanning, yet other times reputation, and other times previous attacks\hacks.

If none detect, I scan (with my eyes) the source code to clarify to some extent.


I usually use about 4-9 resources before I make the post in interesting situations.


Remember: Each scanner was made for a specific reason, thus using just one scanner for an unknown malware will not cut it!