A virus found but not infected

Hey guys. I went to some website and got redirected by an ad to a website called hxxp://ffupdate.org/ it said my drivers are out of date by a pop up… (hmm) and than it did a scan like thing and tried to install something… but Thank god avast blocked it! :slight_smile: Just posting this so avast can decide if that site should be blocked or not… what do you think… a malware site?

The alert was PUP… I disabled avast and downloaded the program’s installer to scan it on virustotal… here are the results from virustotal https://www.virustotal.com/file/2606731042185712bcf0ec3c73879fd80a46d4c31442673c5138376709177f24/analysis/ it might be malware?

Also see: http://forum.avast.com/index.php?topic=96736.msg772357#msg772357

author=Coolmario88 link=topic=96920.msg773473#msg773473 date=1333929620] Hey guys. I went to some website and got redirected by an ad to a website called hxxp://ffupdate.org/ it said my drivers are out of date by a pop up.. (hmm) and than it did a scan like thing and tried to install something.. but Thank god avast blocked it! :) Just posting this so avast can decide if that site should be blocked or not.. what do you think.. a malware site?

Well, using ubuntu atm, so went to site and captured the screenshot below. Note that the site is aggressive, and wants to download an unknown file without user prompting. Can’t run this file anyway, but something like this is definitely suspicious.

I hope the screenshot provides additional information than we had before. See media fire here: http://www.mediafire.com/?3444ftsdz4txb

hmm went to the website again because of the screenshots you showed me… and the website changed… the sidebar had a little fake scanner thing… I think the website should be blocked as malware

+1

You can report it here: http://www.avast.com/contact-form.php?loadStyles

Since avast doesn’t specifically have phishing sites on the VPS only malicious/infected sites, there isn’t a specific way to report them for inclusion in the VPS for Network Shield.

Also see http://forum.avast.com/index.php?topic=82635.0, extract below.
Reporting a phishing/malicious/hacked site not detected by the Network/Web Shield/s:
Essentially it is sending an email to virus (at) avast (dot) com (no attachment as there is no physical file) outlining the issue and giving the URL in the body of the email.

The email Subject is probably more crucial as I would say it still has to be called ‘Undetected Malware’ for it to be filtered within the receipt system for action. I would go further and include ‘Network Shield’ in the subject to further define the problem and possibly attract attention. So the subject would be something like “Undetected Malware - Network Shield - Phishing/Malicious site” (whichever is applicable), without the Quotes.

Well, why do you think so Dave…?? Sure we can also report such stuff. :wink:
BTW, it gets already detected as PUP by avast!..

Well it is 100 out of 100% malware, see this report: http://zulu.zscaler.com/submission/show/2206797ae81eac851ebde215b49a9e39-1333982964
People are being redirected to that site via Roque Ads, so a good adblocker could be advisable, like ABP for instance. See: http://stopmalvertising.com/tag/ffupdate.org.html BrightCloud gives it a yellow 50 index, meaning “Moderate Risk
There is some probability that the user will be exposed to malicious links or payloads”,

polonus

Thanks for the above link, polonus.

If one would like a running update of where this malware has been recently, see: http://stopmalvertising.com/malvertisements/ffupdate.org-several-high-profile-websites-hit-by-a-rogue-ad.html Just scroll down to read the body of the report.

You can’t report it correctly as there is no category for it in the drop down list of the topic. Avast blocked the secondary URL and ad redirecting to a malicious site, which avast blocked as far as I can tell from Coolmario88’s posts.

The closest to what it would be is Report of undetected Malware, but you can’t enter a web site as it is after a file from your system.

I’m talking about adding the primary URL (initial site) with the ad and or the redirection URL in the ad. So what do we report, the primary URL which had the ad on it (ads poisoning) or the ad source URL, but there is no way to report these URLs correctly with the current structure in the contact form.

Hmm… Don’t see any problem, as the form includes: “Website” as well as “Your message”…
So everything important can be included, also a link to this topic, if needed. :wink:

Hi DavidR,

Completely agree with you here. But apart from that the OP can also benefit greatly from getting an adblocker for his browser.
I still have good old “SpywareBlaster” on my comp, and to-day I had another 27 new items added to that protection database for IE, Fx and restricted sites.
And reporting the issue as a form of feed-back for the avast team won’t hurt as Asyn states.

polonus

The Website Issues category relates to the avast website as far as I’m aware.

True, but I’m not talking about Subject/topic here.
Look below, there’s another “Website” box. :wink:

I don’t know what you are on about, this additional website box only comes up when you select http://www.urlvoid.com/scan/ffupdate.org/ and this is no false alert.

Dave, you’re right. I only got it because I had NS enabled. Sorry.
Anyway, still all the info can be put in the message box, if needed.

Looks like google chrome got to blocking the infected website before avast did

Went to see if the website has changed in IE and it appears to me that the website has disappeared :o