Does this site still have malicious content?

Viruses and worms
1

See: http://zulu.zscaler.com/submission/show/91ae75b5f65747e738a97ae98e1a2d87-1340707431
IDS flags here: http://urlquery.net/report.php?id=75874
Malvertising site and ET CURRENT_EVENTS Blackhole Landing Try Prototype Catch Jun 18 2012
Diagnostics: -http://www.mbi-connexion.com/securite/diagnostic/h--hm-asia.com

[embed] hm-asia dot com/pic.swf
info: [decodingLevel=0] found JavaScript
suspicious:

polonus

2

https://www.virustotal.com/url/a21c1c02cf58cef13192669eb33d4053e34c3097b089fd00b9595934063199d3/analysis/1340709188/ doesn’t show anything.

3

http://sitecheck.sucuri.net/results/hm-asia.com

Malware found on javascript file:
hxxp://hm-asia.com/flash.js

http://sucuri.net/malware/malware-entry-mwjs160

4

hm-asia.com/flash.js (malicious obfuscated content | part of blackhole exploit)
info: [embed] hm-asia.com/pic.swf
info: DecodedGenericCLSID detected D27CDB6E-AE6D-11cf-96B8-444553540000
info: [var s] URL=hm-asia.com/function
https://www.virustotal.com/file/3e51239e75656d1e6eb3f333b4523bc786b260b7b762ce82380985903123ca69/analysis/1340728184/

(var s) hm-asia.com/function (404)
status: (referer=hm-asia.com/flash.js) ← Gets called from flash.js
Return Status: 404

[SWF] (embed) hm-asia.com/pic.swf (clean)
status: (referer=hm-asia.com/flash.js) ← Gets called from flash.js
https://www.virustotal.com/file/c803c78fa12201a01745a08279cc0cd32ec69772d40105816f58f96baeab5a7d/analysis/1340728084/

Yes.

5

As avast does not detect, this should be reported to virus AT avast dot com.
I have done so accordingly,

polonus

6

Same algorithm mentioned here (link found by Polonus):
http://www.symantec.com/connect/blogs/blackhole-exploit-kit-gets-upgrade-pseudo-random-domains

“By changing the date passed to the function we can determine domains that will be used in future.”

7

14/41 Now Detect.

Avast! detects as JS:Blacole-V [Trj], so we are being protected. :slight_smile:

8

Great. Thanks for the info. :slight_smile:

9

I tried copying the link so i can paste it in Bounceapp to get a screenshot of the site… but mistakenly clicked open link in firefox… :confused: I closed the tab very quick and cleared all cookies… avast did block Flash.js on that site… I scanned with malwarebytes’ and didn’t find anything and i am scanning with SAS… Hopefully my computer didn’t get infected… I pray not… :-[

10

If avast! blocked flash.js then you should have nothing to worry about. :wink:

11

Thank Goodness :smiley:

12

You shouldn’t “play” with such stuff, very bad things can happen…!!! :wink:

13

ok ;D ;D

14

Well Coolmario88,

Well actualy that “do not play with” should be “do not click”. You may feed a link to online scanners, could analyze that link online, but you should not visit that link by clicking it and going there to that malware laden site (or in lab settings on a VM and with script blocking active). But better not because malcode can escape sandboxes and I for one would not like to experiment clicking a live file infector link. So always remember “curiosity killed the proverbial animal”,

polonus