False Positive?

Viruses and worms
1 
http://idimsports.eu/watch/137670/1/watch-espn.html#.VhPqI_lViko

Avast appears to be blocking the stream at the above site. The site itself comes up clean with VirusTotal.

Thanks.

2

and what does the avast block message say?

Killmalware http://killmalware.com/idimsports.eu/watch/137670/1/watch-espn.html#.VhPqI_lViko

Unmaskparasites http://www.UnmaskParasites.com/security-report/?page=idimsports.eu/watch/137670/1/watch-espn.html

3

JS:ScriptIP-inf [Trj] is the infection it gives. I find this a little strange because this site is the same as an old one but under another name and I didn’t have any problems then.

Thanks

4
The site itself comes up clean with VirusTotal.
VirusTotal does not scan for infections, it is a blacklist check

html scan is clean … seems Webshield does not like the hidden iframe as seen in the links above
https://www.virustotal.com/en/file/a12c48c9b70a85baeb2fce11726c98cc499207bdfe4f67b559fc30bf6ba22a1e/analysis/

the URL in the iFrame give this https://sitecheck.sucuri.net/results/s.cdnco.us/
Malware entry: MW:EXPLOITKIT:BLACKHOLE1 http://labs.sucuri.net/db/malware/malware-entry-mwexploitkitblackhole1.php

5

There’s a blacklist data base?

So is this a false positive by Avast! you think?

6
There's a blacklist data base?
Many ... you see them listed in VT after a URL scan ;)
So is this a false positive by Avast! you think?
report it here and ask https://support.avast.com -> avast virus lab
7

But those sites blacklist URLs based on whether they’ve found infections so a VirusTotal scan is indirectly scanning for infections, no?

I’ll do that. Thanks.

8
But those sites blacklist URLs based on whether they've found infections in them so a VirusTotal scan is indirectly scanning for infections, no?
yes / no ... if CNN.com got hacked and infected today it will take some time before it end up on a blacklist. It is usually those with bad IT staff that dont bother to fix issues. And also consider what the issue is, there are many reasons for blacklisting, spam / phishing / infections ....

See hpHosts classifications as example http://hosts-file.net/?s=classifications

9

As starters DrWeb url checker gives your link as clean,
but I see the following alerts when specifically scanned.

Suspicious on iFrame check are:
Suspicious

-http://c4.zedo.com/jsc/c4/ff2.html?n=1838;s=1;d=14;w=728;h=90
-http://c4.zedo.com/jsc/c4/ff2.html?n=1838;c=7;d=9;w=300;h=250
-http://c4.zedo.com/jsc/c4/ff2.html?n=1838;s=1;d=14;w=728;h=90
-http://s.cdnco.us/vvdim.htm?/watch/137670/1/watch-espn.html

On a javascript check this is being flagged:
Suspicious

%" colspan=“2”>

<iframe src="-http://c4.zedo.com/jsc/c4/ff2.html?n=1838;s=1;d=14;w=728;h=90" frameborder=0 marginheight=0 marginwidth=0 sc

The following included scripts should be checked:
uspect - please check list for unknown includes

Suspicious Script:
-http://show.yeabble.com/yeabblepopfr.js
document.write(unescape(‘%3cscript type=“text/javascript” * clean src=“-http://creative.ad120m.com/matomy/scripts/popunder/popunder.js”%3e%3c/scr’+‘i
Suspicious Script:
-http://show.yeabble.com/yeabblefooterfrfeed.js * Clean
document.write(“</script>”);
Suspicious Script:
-http://show.yeabble.com/matofrpopsec.js * clean
document.write(unescape(’%3cscript type=“text/javascript” src=“-http://creative.admtpmp127.com/admtpmp127/scripts/popup/popup.js”%3e%3c/scr’+
with a very poor web rep: https://www.mywot.com/en/scorecard/creative.admtpmp127.com?utm_source=addon&utm_content=warn-viewsc

For starters I would block the following third party links, going to -magnetic.t.domdex.com, -pulsepoint-cm.p.veruta.com, pxgp2.adpredictive.com, -p.adpdx.com, -rdcdn.com, zl1.zeroredirect1.com and -ck.adohana.com
with a script or a request blocker.

See for alerts on website: https://urlquery.net/report.php?id=1444148063174
See: http://www.domxssscanner.com/scan?url=http%3A%2F%2Fidimsports.eu%2Fwatch%2F137670%2F1%2Fwatch-espn.html%23.VhPqI_lViko
second link currently safe: http://adguard.com/en/adguard-report/show.yeabble.com/report.html
and this has been blocked in my browser: uMatrix has prevented the following page from loading:
htxp://s7.addthis.com/

This Dutch hosted website therefore is not without problems. I would be rather careful or shun it.

polonus (volunteer website security analyst and website error-hunter)

10

Okay. Thanks for the replies and data. Just find it odd to a degree that this site is now a potential problem when it was fine under another name, but their address did change so maybe other things did as well.

Thanks again!

11

Hi NVF,

It just depends how secure the browser is tweaked to avoid the adware and tracking dangers there and the occasional dropper With a good and decent script blocker and a decent adblocker your experience may not have differed that much from previous time.
Well you have been alerted to the fact that that sites like these use the visitors as a product in their pay model and that real content is only additional for them, always is and especially to-day “free comes at a price”. As things stand now I would not go to that site, they have to clean up their act first.

greetings from the Netherlands,

polonus

12

I do not think this is a False Positive - Avast complains about this piece of code:

if(document.location.hostname == "firstrowsports.uk.to"){window.location = "http://firstrowas.eu/sport/football.html";}

While this particular code seems clean, it cannot be said that redirections by JS are a neat way to do things. Why not use a 301 header, if you want to redirect?

Also, this alone would qualify for blocking the whole domain:

if(country2 == "US"){
document.write('<iframe src="http://www.vid4fun.net/v4f.php" height="1" width="1" border="0" scrolling="no"></iframe>');
document.write('<iframe src="http://www.trailernow.net/tn.php" height="1" width="1" border="0" scrolling="no"></iframe>');
document.write('<iframe src="http://www.everclips.net/evr.php" height="1" width="1" border="0" scrolling="no"></iframe>');
document.write('<iframe src="http://www.123trailers.net/1tr.php" height="1" width="1" border="0" scrolling="no"></iframe>');
document.write('<iframe src="http://www.govids.net/gov.php" height="1" width="1" border="0" scrolling="no"></iframe>');
document.write('<iframe src="http://www.hiclips.net/hic.php" height="1" width="1" border="0" scrolling="no"></iframe>');
document.write('<iframe src="http://www.ivids.net/ivd.php" height="1" width="1" border="0" scrolling="no"></iframe>');
}

Honza