Avast blocks web sites with web cams

Well the alert avast is giving on the home page, image1 (and presumably the others too) is HTML:Applet-inf and this -inf at the end usually signifies that some code has been injected (in this case presumably an applet) that is or may also be pointing to a malicious site.

The VT results link previously posted by Pondus has now been updated and now has more hits (5/42) whilst not huge it is going up, https://www.virustotal.com/file/51db5a19ab0bc6b2ff5f761ab6343a219ec1e9b94c909927a5bb8eef1cf913eb/analysis/1344772735/.

A check of the source code on the page shows an applet that points to an IP address rather than a user friendly domain name (image2). Checking of that IP and trying to connect to it causes the network shield to alert (image3) URL:MAL, indicating that this IP address is on avast’s malicious sites lists. So this falls in line with what my explanation of what the -inf at the end of the malware name usually signifies.

So it isn’t so much the seasideaquarium.com site, but the applet which goes to an external site which is considered malicious.

Now I don’t know if A) that applet is legit and B) the IP address being considered malicious is correct (see ~~~ below), but that appears to be why the alerts are happening.

It is possible that many domains are hosted on this IP address, if so one or more could be infected leading to an IP block. This certainly needs further investigation.

Donovan · August 12, 2012, 6:11pm

Adding onto DavidR’s analysis,

All the applet elements into one file, scanned on VirusTotal here:
https://www.virustotal.com/file/d52fd86579f1e0aef66f5001515cc7c04a417cd4e1dc1b0296431b53cad62304/analysis/1344793474/

3 different IPs are involved:

68.185.19.92
207.224.31.229
207.202.157.37

However, I do not see any apparent records for these IPs…?

polonus · August 12, 2012, 6:50pm

Hi !Donovan,

Avast alert with URL:Mal for e.g.: hxtp://207.224.31.229/-wvdoc-01-/Glimpse Java Viewer Applet
A PHP Array-push is being performed from /68.185.19.92 for example, http://68.185.0.0/19%20%20 urlopen error timed
see: htsp://jsunpack.jeek.org/?report=e71e575e9b002155bad807bbcfcd86f34e0a91ce *

This link is given only for our security researchers,
use full script blocking and open up in a sandboxed environment for protection.
Warning! Do not venture out there if you are not enough security savvy!
Besides 68.185.0.0/19 AS20115 (not registered) Shared info is fetched in the background

See: http://urlquery.net/report.php?id=125425
Suricata /w Emerging Threats IDS alerts
2012-08-12 03:59:24 207.224.31.229 urlQuery Client 3 FILEMAGIC Zip archive data
2012-08-12 03:59:21 207.224.31.229 urlQuery Client 3 FILEMAGIC Zip archive data
2012-08-12 03:59:18 207.224.31.229 urlQuery Client 3 FILEMAGIC Zip archive data
2012-08-12 03:59:17 207.202.157.37 urlQuery Client 3 FILEMAGIC Zip archive data
2012-08-12 03:59:17 68.185.19.92 urlQuery Client 3 FILEMAGIC Zip archive data

The IP PTR does not resolve. This is very bad practice…see:
http://hosts-file.net/default.asp?s=207.224.31.229
http://hosts-file.net/default.asp?s=207.202.157.37
http://hosts-file.net/default.asp?s=68.185.19.92

Site has to be protected against bad bots, like this: http://perishablepress.com/wp/wp-content/online/demos/blackhole/
http://perishablepress.com/blackhole-bad-bots/ (link author and bottrap developer Jeff Starr)

AS info from sitevet: AS Name: THEPLANET-AS - ThePlanet.com Internet Services, Inc.
IPs allocated: 1539328
Blacklisted URLs: 17932

Hosts…
…malicious URLs? Yes
…badware? Yes
…botnet C&C servers? No
…exploit servers? Yes
…Zeus botnet servers? Yes
…Current Events? Yes

That is more than no records on these IPs,

polonus

Avast blocks web sites with web cams

Announcements