Avast Webshield does detect exploit at rtysfalls dot info

Where a lot of others do not alert, found 1 detection only here: http://www.urlvoid.com/scan/rtysfalls.info
and where suspicious exploit is detected here: http://wepawet.iseclab.org/view.php?hash=2c18b1040d934d5045048581b4edf24c&t=1300395983&type=js
with the corresponding
Anubis report: http://anubis.iseclab.org/?action=result&task_id=1a94e20a47a4505643952343574696049
detected as Trojan-Dropper.Win32.Vedio (Sig-Id:1530272) (Ikarus)
the avast webshield alerts htxp://jsunpack.jeek.org/dec/go?report=a6e79b7af1bcefa50fa8a337964c32d84ecafacf
as JS.ShellCode-GR[Exploit] so the avast user is protected!
TrendMicro Site Safety detects: The latest tests indicate that this site contains malicious software or could defraud visitors.
Disease vector: Sites that directly or indirectly facilitate the distribution of malicious software or source code…
Site is blacklisted, but no malware identified by the free sucuri scanner…
Domain Name was Registered on 02 February,2011…, see: http://www.robtex.com/dns/rtysl.com.html
Webutation misses italltogether: http://www.webutation.net/go/review/rtysfalls.inf

polonus

Almost ended up reporting this as the “random blurb” spam ;D Could do with some formatting. :stuck_out_tongue:

Otherwise, nice catch. 8)

Hi doktornotor,

Well the Anubis report says it all, that av should alert this, and avast webshield does. But when I scan the URL against virustotal.com you can understand my initial concern:
http://www.virustotal.com/url-scan/report.html?id=2c18b1040d934d5045048581b4edf24c-1300396452
Firefox Clean site
G-Data Clean site
Google Safebrowsing Clean site
Opera Clean site
ParetoLogic Clean site
Phishtank Clean site
Downloaded file analysis does not make me that happy either:
http://www.virustotal.com/file-scan/report.html?id=08fdfdc0c63871889e918e8aa797454a400655574d9cce9272f4a51d93049839-1300400272
Two flags:
TrendMicro 9.200.0.1012 2011.03.17 Possible_Hifrm-5
TrendMicro-HouseCall 9.200.0.1012 2011.03.17 Possible_Hifrm-5
See: http://about-threats.trendmicro.com/ArchiveMalware.aspx?language=us&name=Possible_Hifrm-5
The exploit is detected by the avast webshield, but what about the trojan-dropper there?

polonus

Norman analysis confirms infected

wxw.rtysfalls.info.htm Processed - HTML/IFrame.IP