Avast is blocking game website in a weird Pattern

This is related to the following two block:
1. 4399小游戏
( hxtp://www.4399.com/ JS:ScriptIP-inf [trj]
hxtp://www.4399.com/ HTML:script-inf
hxtp://a.4399.cn/ URL:Mal)
2. hxtp://www.9669.com/ URL:Mal

4399 is a flash game website and mobile game download site while 9669 is a mobile game download site (for some reason, Dr. web says it as adult content as whenI last scan it in virustotal, which I don’t find any.) .
Upon scanning both site, they look clean except they both use cnzz.com, some kind of website population statistic service, which is blocked by malware domain blacklist for troj/clicker-gl trojan virus (I think it is from other virus sample instead, I found the reference in sophos: http://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Clicker-GL/detailed-analysis.aspx, so the website is actually clean). But there are some other game website that use cnzz.com like 7k7k (http://www.7k7k.com/) which avast does not block.
So what is actually being blocked by avast? 4399.com have been blocked like this not only once…

urlQuery http://urlquery.net/report.php?id=1411054101654
scroll down to Blacklists

VirusTotal IP check - 203.130.61.17
https://www.virustotal.com/en/ip-address/203.130.61.17/information/
see Latest detected files that communicate with this IP address click MORE button at lower left under that list

I do know that malware domain blacklist have included “cnzz.mmstat” and “pookie.cnzz.com” as trojan virus and I mention it in my previous post.
However, I investigate the issue and found that it is indeed a flase positive. This can be show that avast does not give an alert when I enter the website hxxp://cnzz.mmstat.com/9.gif?abc=1&rnd=661566537. I did report it earlier in July, and avast give it a blacklist for less than 24 hours but unblocked after that. The website do have low reputation in mywot but please look carefully at the bad comments there, all of them aren’t made by the Chinese, when this is a service for Chinese website. There are all the thing that proof that it is a flase positive said by the Chinese in mywot. And I need to say again that cnzz is a website population statistic service, which does not host any malware.
The block is not a domain block, avast is complaining about a trojan virus JS:ScriptIP-inf [trj] in the page.

JS:ScriptIP-inf [trj]
meaning the webshield see a java script code in the html it does not like ...... could be all the chinese gibbely gobbel it dont like ;D

Virustotal html scan
https://www.virustotal.com/en/file/24331d5778c5cce6bd5060f6bc1060d781dcacb1fa0f8fbadc377961a6c2ced8/analysis/

Virustotal html scan https://www.virustotal.com/en/file/24331d5778c5cce6bd5060f6bc1060d781dcacb1fa0f8fbadc377961a6c2ced8/analysis/
That's something weird I've got too. Avast is not detecting the html file as JS:ScriptIP-inf [trj]. There should be nothing weird in the website. However, the other case, I've got different result hxxp://my.4399.com/forums-mtag-tagid-70504.html see: https://www.virustotal.com/en/file/82a8b25c344ef867866848a88c196262c5f6b8308185154c4db33f2f48a195a5/analysis/1411228298/ Only avast is detecting it. Does the detecton HTML:script-inf mean the page is malicious?

Edit: Oh qihoo360 is detecting it which is unexpected because I think Chinese antivirus will usually whitelist this site
using a multiple html file rar and scan in virscan.org: http://r.virscan.org/report/5db4de0b3a4ab3b94577e355f22409e9
In that case, I think the detection is most likely correct.

I get a “Website Offline or invalid URL” because of the blocking:
Suspicious code: s1.img4399 dot com/resource/?file=base/js/plugins/ue.pager/ue.pager;base/js/plugins/ue.dialog/ue.dialog;base/js/plugins/ue.tab/ue.tab;base/js/plugins/ue.easydrag/ue.easydrag.js&v=c54c28f benign
[nothing detected] (script) s1.img4399.com/resource/?file=base/js/plugins/ue.pager/ue.pager;base/js/plugins/ue.dialog/ue.dialog;base/js/plugins/ue.tab/ue.tab;base/js/plugins/ue.easydrag/ue.easydrag.js&v=c54c28f
status: (referer=my.4399 dot com/forums-mtag-tagid-70504.html)saved 37176 bytes 33111e84e07902bd0ec2a788d0eed52923a0373d
info: [decodingLevel=0] found JavaScript
suspicious

polonus

What about the second one?
hxxp://www.9669.com
Marked as unsafe by webrep module, blocked as URL:Mal
Again only avast detected the html file as HTML:RedirME-inf [Trj]
see: https://www.virustotal.com/en/file/4746e0a8a293a00a81bf011c8d402f7f674074437eae2c6499bff79645067cb1/analysis/1411293338/
I once saw on virustotal that it is marked as adult content by Dr. Web as well as their 1st android application download link out of the 3 link.
I am not getting any weird redirection or seeing any adult only part in the site. Doesn’t the detection mean a redirection exist on the page?

Hi rickyyeung,

Not that domain → http://quttera.com/detailed_report/www.9669.com
but rather the MileWeb IP: https://www.virustotal.com/nl/ip-address/8.37.233.2/information/
Also that site has Outdated Server Software, so it is vulnerable to abuse:
Outdated Web Server Nginx Found Vulnerabilities on nginx nginx/1.0.15
Also traceroute vulnerabilities for Cdn Cache Server V2.0
Certification issues - WARNING: None of your DNS servers have IPv6 addresses
OK here: https://manage.centralnic.com/support/domain_doctor/www.9669.com
Code hick-up: wXw.9669.com/statics/js/jquery.fn.imgplayer.js benign
[nothing detected] (script) wXw.9669.com/statics/js/jquery.fn.imgplayer.js
status: (referer=www.9669.com/)saved 12592 bytes 4c50b923126bcf6d799d0a13c930244b4780fb9d
info: [decodingLevel=0] found JavaScript
error: undefined variable jQuery
suspicious

blocked for me external link to: htxp://v1.cnzz.com/stat.php?id=5909591&id=5909591
WOT does not like that → but not on Shalla list: http://www.shallalist.de/cgi-bin/search.cgi?suchmich=www.9669.com

Shalla Secure Services: Requested entry cnzz.com was

found in /spyware/domains : cnzz dot com
found in /forum/urls : cnzz dot com/v3/
found in /tracker/urls : s6.cnzz dot com/stat.php
v1.cnzz.com takes detection of the main domain.
Nameserver involved in Spamming: http://knujon.com/nameservers/NS1.NDNS.CN.html

polonus

Redleg breaks this link on line 12 in his analysis: http://jsunpack.jeek.org/?report=0d379352c753e4664e3485fe5951c6d2467b4874

See: http://wapiknow.baidu.com/question/512452237.html

polonus

Hi polonus,
I want to say something about all those cnzz website since you mention it here as well as in https://forum.avast.com/index.php?topic=154961.0 as a proof that some site contain malware.

The fact that you can see the blacklist of two cnzz entries by malwaredomain.com is because in sophos site, http://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Troj~Clicker-GL/detailed-analysis.aspx , there give some 3 malwares sample that are detected as troj/clicker-gl by themself that request the cnzz.mmstat/9.gif file. From cnzz.mmstat/9.gif the file moved to pcookie.cnzz.com/app.gif. That does not show any malware activities.

cnzz itself is innocent. They are the most popular service for statistic of website traffic. The blacklist by malwaredomain is false because it start by seeing the site helping another website use by malware in China doing the website traffic statistic service.

Not to mention that it is confrim clean by avast as I mention before in post #3

You can see their JS code in the 1st post of this thread in their forum: http://bbs.cnzz.com/forum.php?mod=viewthread&tid=117237

rickyyeung

Hi rickyyeung,

Good we have posters like you here and good these questions are raised for the Chinese avast! user base also.
Well I agree with you that we should have right detection for the Chinese malware theater and FP on domains/IP should be excluded from general blocks. The main cause for FP website detections are benign sites hosted in a suspicious or even malign environment. Various factors have to be taken into consideration to establish the true status of the site, like reputable/disreputable URL, malformed SLD, being on a malicious ASN, content on URL, brand name URL, all normal token URL, web page count iFrames/ zeroSize iFrames, hyperlinks, specific native java script functions, specific DNS features, reputation of website provider, specific DNS info (afraid dot org), FFSN exploits, look-up after TTL. Network properties, URL shortening, etc. etc.
See one of my examples here; https://forum.avast.com/index.php?topic=154554.msg1123863#msg1123863 (gave that link also in the Chinese sub-forums). Keep up the good work for our community. The long march just was started with one step taken and another one that followed that ;D .

Damian

I would definitely suggest hosting those sites on another server. Considering the amount of blocked URLs that share IPs with this one, it can be that the domain was blocked only because of this.