False Positive Web Shield block at this site?

While trying to click this link the avast Webshield detected: JS:ScriptDC-inf [Trj]
I scanned the URL link at VT, see: http://www.virustotal.com/url-scan/report.html?id=0ea088adcc77c0ebfa6aeb791bf1985c-1305374763
and the file-analysis gave http://www.virustotal.com/file-scan/report.html?id=f06775c73f91c1600952417efb78811d8b189fdf768673237b2bbab719481547-1305382403 (3 detections for JS:ScriptDC-inf, all from avast and GData (provided by avast) - wepawet scan result benign: http://wepawet.iseclab.org/view.php?hash=0ea088adcc77c0ebfa6aeb791bf1985c&t=1305382480&type=js
URLVoid scan: http://www.urlvoid.com/scan/rexbd.net clean…
see linkscan: hxtp://jsunpack.jeek.org/dec/go?report=552b3a32647bd96946b5733aedbdb5f3f07719ac
Go to above link only if security aware, with ample script protection and sandboxed…
WOT reputation very poor: http://www.mywot.com/en/scorecard/rexbd.net
http://www.webutation.net/go/review/rexbd.net score 40/100
Sucuri scan results:
web site:
htxp://rexbd.net/validator/index.php
status:
Site verified to be secure and free of malware.
web trust:
Site not blacklisted.
Add. info on domain had url-shortener and DCOM exploit cases → malware 174.132.170.157

polonus

Well as you say WOT doesn’t like hXXp://rexbd.net either.

However it may be that in its validation of a site (url=nofax-payday.ning.com/lender-
15) it is pulling in some data/script tag that is setting off the web shield in the same way as some of the security sites we use when investigating alerts on sites.

On analyzing the same url at monkeywrench.de got the same avast flag for JS:ScriptDC-inf [Trj] in AppDat\Local\Microsoft etc.

This scan came up clean: http://vscan.urlvoid.com/analysis/e02b83e8e9e4c406d17ff85ad6378d2a/aW5kZXgtcGhw/ (permalink)

It is also found dangerous by Trend Micro Site Safe:

How would you categorize this site?
The latest tests indicate that this site contains malicious software or could defraud visitors

Disease Vector
Sites that directly or indirectly facilitate the distribution of malicious software or source code

My verdict would be that the Webshield has saved us again,

polonus

The web shield has always been very hot in these script injection exploits/hacked sites.

The problem is, that I think you may be looking at the wrong file/data source, I don’t think it is the index.php that is the problem as that is only doing the validation, when it is what it imports into its validation process (from nofax-payday.ning.com), which I believe is being pinged.

Hi DavidR,

Yes you are right there, because it is a silent download that starts immediately from there. Curious as to what that is, good avast webshield blocks this,

polonus