avast netshield blocks

polonus · April 19, 2010, 8:56pm

Hi malware fighters,

Avast flagged google-research.com/image/scan_url_malware.gif
What is this?
All 5 instances were blocked.
Is it as reported here? http://news.techworld.com/security/9240/malicious-gif-conceals-php-attack/

polonus

system · April 19, 2010, 9:31pm

may be I should stop using scrapbook…always had doubts (scrapbook is an extension for Firefox allowing to save entire web pages in a click etc…) >>> loads and loads of GIF files…on the other hand, they’ve already been temporarily saved to disk (in cache) at browsing time…but if as your article says the beginning of the file is safe and bypass the webshield and the file system shield…>>> solution can be to set the web shield to scan files entirely, but this could slow down the browsing…and guess what, GIF files are excluded by default for the web shield ;D I don’t want to change that. Remains relying on the file shield, but this would mean setting it to scan files entirely, which is also unthinkable…

DavidR · April 19, 2010, 9:38pm

Well the URL looks like it is trying to pretend to be google related site, the google-research.com domain isn’t registered to google to start with, see image. Normally it would be research.google.com or something along those lines.

avast’s network shield is blocking the whole domain as malicious and not just that .gif image.

Not to mention the URL is unreachable as OpenDNS reroutes it to its other options page, http://guide.opendns.com/?url=wXw.google-research.com.

system · April 19, 2010, 9:50pm

what did you type to get this alert David, when I type hxxp://www.google-research.com I just get a server not found. On the other hand I also get an OpenDNS redirection with the corresponding IP.

that’s the legit address >>> http://research.google.com/

polonus · April 19, 2010, 9:58pm

Hi DavidR,

@Logos… you could use the info from robtex. We now know it has an ill reputation…

Thanks for confirming. Blacklisted md5:6daba0a69dec5106384817d5cce940f4:google-research.com
md5:9087540aa92a77d4b0b1c505ecee3c2c:google-research
Everything is fetched in the background, enough for me to stay away,
by the way sitetrust cannot find it,
and again thanks avast for the blocking and saving my behind,

polonus

DavidR · April 19, 2010, 10:04pm

I got block alerts trying to use the same URL as you and wXw without the hXXp bit.

I got the alerts first as using firefox, if I stop the network shield only then do I get the redirect to the OpenDNS page, otherwise avast alerts way before any redirect, aborting the connection (see image).

I also tried to download the .gif file using orbit downloader and avast blocks it before Orbit tries to get it.

polonus · April 19, 2010, 10:16pm

Hi DavidR,

There is a similar malcoded gif exploit called counter.gif. Here the gif has malcoded PHP inside. What did WepaWet analyse? I get an invalid host name there. The domain changed nameservers 26 times over the last 4 years.
Had 19 ownership records, probably all malcreant related. No data found for google-research.com at WOT…

polonus

system · April 19, 2010, 10:21pm

Oh may be I found the reason (s) (typing http or not doesn’t change anything it’s always added automatically in any address bar anyway) >>> either you can’t access that site from France (filtered by ISP or else…), either I can’t get through because I use Google DNS servers atm ( yes Polonus, I know ;D ) and they’re aware of it.

avast netshield blocks

Announcements