False positive or real infection on popular site?

Viruses and worms
1

My gf was going to “people of walmart” and it came up with an infection alert (on the main page). Is this correct or a false positive because this is a very popular site? I have attached pics below.

The pics have to be small for the small size limit, but here is the info on the infection information page.

URL:http://ibc.thuisserver.com/ba.js (<do not go to that site people)
Process: C:\Program Files\Mozilla Firefox\firefox…
Infection: URL:Mal

Thanks for the help.

2

Avast! is not alerting on the site, but another site that the site is trying to connect to.
See: http://urlquery.net/report.php?id=81824

GET /ba.js HTTP/1.1
Host: ibc.thuisserver.com
Referer: hXtp://www.peopleofwalmart.com/

HTTP/1.1 200 OK
Content-Length: 685

Direct malware payload was on that link 2012-06-06.

Also See: http://urlquery.net/report.php?id=81829

Also Returns:
HTTP/1.1 200 OK
Content-Length: 685

So it appears that the site at hand gets a cookie from the suspect site at hand.

Another Domain With The Same Behavior On The Same IP: http://urlquery.net/report.php?id=29224

3

so you are saying this site is fine, but has links to a malware site, or is it only a bad cookie?

And I typed in the url directly into the Url bar (did not use a link to get to the people of walmart site).

Excuse my stupidity…lol

4

The site has a link to a site that has hosted malware in the past. However, avast! blocks this IP. With it returning a cookie, which I assume would be used for another site called by the site so to check the referrer of the URL. In similar theory:
Main Site → Cookie Payload → Main Site → Cookie Get → Do Something When Returned True

In simple terms, while avast! is blocking the “thuisserver” site, you should be able to browse safely, considering the factor mentioned above.

5

Thank you for explaining it to me Donovan. I appreciate the help :slight_smile: . Have a good 4th of July (if you celebrate it).

6

Your Welcome. Glad I could help. :slight_smile:

7

Hi !Donovan,

The malware of that Russian domain: htxp://ibc.thuisserver.com/ba.js is now dead. Closed since: 2012-06-06 20:11:38

Suricata/ w Emerging Threats - alert severity 3
2012-07-04 03:24:21 92.241.177.162 urlQuery Client 3 ET RBN Known Russian Business Network IP (430)

polonus