This is related to the following two block: 1. 4399小游戏
( hxtp://www.4399.com/ JS:ScriptIP-inf [trj]
hxtp://www.4399.com/ HTML:script-inf
hxtp://a.4399.cn/ URL:Mal)
2. hxtp://www.9669.com/ URL:Mal
4399 is a flash game website and mobile game download site while 9669 is a mobile game download site (for some reason, Dr. web says it as adult content as whenI last scan it in virustotal, which I don’t find any.) .
Upon scanning both site, they look clean except they both use cnzz.com, some kind of website population statistic service, which is blocked by malware domain blacklist for troj/clicker-gl trojan virus (I think it is from other virus sample instead, I found the reference in sophos: http://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Clicker-GL/detailed-analysis.aspx, so the website is actually clean). But there are some other game website that use cnzz.com like 7k7k (http://www.7k7k.com/) which avast does not block.
So what is actually being blocked by avast? 4399.com have been blocked like this not only once…
I do know that malware domain blacklist have included “cnzz.mmstat” and “pookie.cnzz.com” as trojan virus and I mention it in my previous post.
However, I investigate the issue and found that it is indeed a flase positive. This can be show that avast does not give an alert when I enter the website hxxp://cnzz.mmstat.com/9.gif?abc=1&rnd=661566537. I did report it earlier in July, and avast give it a blacklist for less than 24 hours but unblocked after that. The website do have low reputation in mywot but please look carefully at the bad comments there, all of them aren’t made by the Chinese, when this is a service for Chinese website. There are all the thing that proof that it is a flase positive said by the Chinese in mywot. And I need to say again that cnzz is a website population statistic service, which does not host any malware.
The block is not a domain block, avast is complaining about a trojan virus JS:ScriptIP-inf [trj] in the page.
Virustotal html scan
https://www.virustotal.com/en/file/24331d5778c5cce6bd5060f6bc1060d781dcacb1fa0f8fbadc377961a6c2ced8/analysis/
That's something weird I've got too. Avast is not detecting the html file as JS:ScriptIP-inf [trj]. There should be nothing weird in the website.
However, the other case, I've got different result
hxxp://my.4399.com/forums-mtag-tagid-70504.html
see: https://www.virustotal.com/en/file/82a8b25c344ef867866848a88c196262c5f6b8308185154c4db33f2f48a195a5/analysis/1411228298/
Only avast is detecting it. Does the detecton HTML:script-inf mean the page is malicious?
Edit: Oh qihoo360 is detecting it which is unexpected because I think Chinese antivirus will usually whitelist this site
using a multiple html file rar and scan in virscan.org: http://r.virscan.org/report/5db4de0b3a4ab3b94577e355f22409e9
In that case, I think the detection is most likely correct.
What about the second one?
hxxp://www.9669.com
Marked as unsafe by webrep module, blocked as URL:Mal
Again only avast detected the html file as HTML:RedirME-inf [Trj]
see: https://www.virustotal.com/en/file/4746e0a8a293a00a81bf011c8d402f7f674074437eae2c6499bff79645067cb1/analysis/1411293338/
I once saw on virustotal that it is marked as adult content by Dr. Web as well as their 1st android application download link out of the 3 link.
I am not getting any weird redirection or seeing any adult only part in the site. Doesn’t the detection mean a redirection exist on the page?
Shalla Secure Services: Requested entry cnzz.com was
found in /spyware/domains : cnzz dot com
found in /forum/urls : cnzz dot com/v3/
found in /tracker/urls : s6.cnzz dot com/stat.php v1.cnzz.com takes detection of the main domain.
Nameserver involved in Spamming: http://knujon.com/nameservers/NS1.NDNS.CN.html
Hi polonus,
I want to say something about all those cnzz website since you mention it here as well as in https://forum.avast.com/index.php?topic=154961.0 as a proof that some site contain malware.
cnzz itself is innocent. They are the most popular service for statistic of website traffic. The blacklist by malwaredomain is false because it start by seeing the site helping another website use by malware in China doing the website traffic statistic service.
Not to mention that it is confrim clean by avast as I mention before in post #3
Good we have posters like you here and good these questions are raised for the Chinese avast! user base also.
Well I agree with you that we should have right detection for the Chinese malware theater and FP on domains/IP should be excluded from general blocks. The main cause for FP website detections are benign sites hosted in a suspicious or even malign environment. Various factors have to be taken into consideration to establish the true status of the site, like reputable/disreputable URL, malformed SLD, being on a malicious ASN, content on URL, brand name URL, all normal token URL, web page count iFrames/ zeroSize iFrames, hyperlinks, specific native java script functions, specific DNS features, reputation of website provider, specific DNS info (afraid dot org), FFSN exploits, look-up after TTL. Network properties, URL shortening, etc. etc.
See one of my examples here; https://forum.avast.com/index.php?topic=154554.msg1123863#msg1123863 (gave that link also in the Chinese sub-forums). Keep up the good work for our community. The long march just was started with one step taken and another one that followed that ;D .
I would definitely suggest hosting those sites on another server. Considering the amount of blocked URLs that share IPs with this one, it can be that the domain was blocked only because of this.