Again the avast Network shield in action...

Someone sent me this link: htxp://contagiodump.blogspot.no/
Then avast Networkshield alerted me to BV:DelFiles-B[Trj] in the browser executable process.
Boy, am I glad to have that avast Networkshield installed.
Have to say before alerting, I had to lift noscript blocking that malware…
Given benign here: http://zulu.zscaler.com/submission/show/4f546320e6ffaf77d3aba45da7c1b87e-1354366764
4 potentially suspicious files
wXw.blogger.com/post-edit.g?blogID=7885177434994542510&postID=5116555681441968371&from=pencil
File size[byte]:
80964
Threat type:
Potentially Suspicious
Details:
Detected hidden reference to external web resource.
Reason:
Detected generation of hidden DOM element [iframe].

C50CF6DB56B8DE527799A68294FF4D04
Scan duration[sec]:
0.175000
twitter dot com/%23%21/search/contagiodump
File size[byte]:
66150
Threat type:
Potentially Suspicious
Details:
Detected procedure that is commonly used in suspicious activity.
Reason:
Too low entropy detected in string ‘/[1]*[a-z_----------------------’ of length 213 which may points to obfuscation or shellcode.
MD5:
1B0274E1A26B9C447A8C0FB61D93838B
Scan duration[sec]:
0.135000
community.rapid7 dot com/community/metasploit/blog/2012/09/16/lets-start-the-week-with-a-new-internet-explorer-0-day-in-metasploit
File size[byte]:
116215
Threat type:
Potentially Suspicious
Details:
Detected potentially suspicious content.
Reason:
Detected potentially suspicious initialization of function pointer to JavaScript method document.write __tmpvar971250210 = document.write;
MD5:
241758146B4C42C6A01AAF8E0926D787
Scan duration[sec]:
3.383000
wXw.blogger.com/post-edit.g?blogID=7885177434994542510&postID=6269574680922556213&from=pencil
File size[byte]:
80943
Threat type:
Potentially Suspicious
Details:
Detected hidden reference to external web resource.
Reason:
Detected generation of hidden DOM element [iframe].
MD5:
2FFA9DD1099A8871D6D348A1455EDC57
Scan according to Quttera scan results …

polonus


  1. a-z0-9_------------------------------------------------------------- ↩︎

Also performed a particular malicious iFrame scan on that site with following results:
(Level: 0) Url checked:
htxp://contagiodump.blogspot.no/
Zeroiframes detected on this site: 0
No ad codes identified

(Level: 1) Url checked: (script source)
hxtp://contagiodump.blogspot.no///www.blogger.com/static/v1/jsbin/2627287098-ieretrofit.js
Blank page / could not connect
No ad codes identified

(Level: 1) Url checked: (script source)
hxtp://contagiodump.blogspot.no/https://apis.google.com/js/plusone.js
Blank page / could not connect
No ad codes identified

(Level: 1) Url checked: (script source)
htxp://www.mediafire.com/dropbox/dropbox.js
Zeroiframes detected on this site: 0
No ad codes identified

(Level: 2) Url checked: (iframe source)
htxp://www.mediafire.com/dropbox/+ez+
Blank page / could not connect
No ad codes identified

(Level: 1) Url checked: (script source)
htxp://www.mediafire.com/dropbox/dropbox.js
Zeroiframes detected on this site: 0
No ad codes identified

(Level: 2) Url checked: (iframe source)
htxp://www.mediafire.com/dropbox/+ez+
Blank page / could not connect
No ad codes identified

(Level: 1) Url checked: (script source)
htxp://contagiodump.blogspot.no/https://apis.google.com/js/plusone.js
Blank page / could not connect
No ad codes identified

(Level: 1) Url checked: (script source)
htxp://contagiodump.blogspot.no///www.blogger.com/static/v1/widgets/2167839501-widgets.js
Blank page / could not connect
No ad codes identified

(Level: 1) Url checked: (script source)
htxp://contagiodump.blogspot.no///www.google.com/jsapi
Blank page / could not connect
No ad codes identified

polonus

well this is the contagio malware dump blog…where malware discussion and samples is dumped every day

so no surprise if a nervous avast webshield give a alarm here :wink:

dont you use this site Polonus ???

Hi Pondus,

Yes I am aware of the site and know about the contents thereof, and if there is part of a malware script exposed, then the avast shield bells are to be set off. I use these resource sites, but never put a link out here bormally, because we do not want to make the malcreants any the wiser…

polonus