Good this site is being blocked...detected Live BlackHole exploit kit

See: http://siteinspector.comodo.com/public/reports/5604391
Why high risk: http://www.urlquery.net/report.php?id=149684 (notice all the intrusion detection alerts)
see: https://www.virustotal.com/url/dcd7d3f7de71a3cee84476fe6b4406825cc350070520118bc8ef984a4e07a34f/analysis/
Google stops us from going to a suspicious PHISHING site (mention on Phish Tank), infected with cleanmx_generic (whatever that may stand for
probably a dangerous script → htxp://www.frl-josephine.de/WSbjFVEM/js.js resolving to htxp://www.johicksmakeup.com/i27y5nwH/js.j
see: htxp://www.mywot.com/en/scorecard/johicksmakeup.com?utm_source=addon&utm_content=popup-donuts (also flagged by Bitdefender’s TrafficLight as unsafe) read: http://www.mywot.com/en/forum/21464-qai-jar-malware-cve-2010-1885?page=12
redirecting to:
htxp://50.116.34.38/pxyk80ujzb03h.php?y=quhp77j6fgbj3ih with suspicious content after the html-tag a padding to disable MSIE and Chrome friendly error page → http://urlquery.net/report.php?id=149690 better this IP should be blocked, and it is blocked by WOT: http://www.mywot.com/en/scorecard/50.116.34.38?utm_source=addon&utm_content=warn-viewsc

polonus

Following case where the avast Web Shield neatly blocks the malcode…
This site has threat Mal/HTMLGen-A, see: http://urlquery.net/report.php?id=148341
See: http://zulu.zscaler.com/submission/show/e6436c4cc5837210f59f29ec3567a530-1346186661
Maybe down now we think as we get a : 11004 [11004] Valid name, no data record (check DNS setup)
This because our good avast Web Shield blocks it as Infection: HTML:RedirME-inf[Trj]
See for the past: http://urlquery.net/search.php?q=219.90.118.78&type=string&from=&to=&max=50

We the avast users are being protected,

polonus

The html
http://virusscan.jotti.org/en/scanresult/c17958a6042e3776e2ee1aca05eb68d06a67085e
https://www.virustotal.com/file/7e37110bb205a26a675ddc96d6a8cbbb3284f9039a5034cf71d6e82387d09f57/analysis/

and the fake flash
http://virusscan.jotti.org/en/scanresult/21f0ec4a488b4ccdb10b8d9087c92829676e4d41
https://www.virustotal.com/file/d7d03152af843f3f7f45cf4db35fa4d96974ab92c7c9e89879859713fd3ee546/analysis/

Hi Pondus,

That second one is taken care of by the webshield. We have much more than just the static file detection, ye know,

pol

the site also push these in to your C:\documents and settings(my name)\programdata(folder with same name as exe)\ (exe)

http://virusscan.jotti.org/en/scanresult/28f5dab98917cd03520b395c95d2b6ff5a233c14
https://www.virustotal.com/file/fcb302c53abd5358a8a4486523e3a17f5e27f19e4cc63f53707d5f09ba0e52f1/analysis/1346190883/

http://virusscan.jotti.org/en/scanresult/9cf5a2b49b0a4d05c4509bfe9429d744e20517ba
https://www.virustotal.com/file/f0e8eadede286be91d36eb7f3e051b40fa771257f42d6be91c57dea864359275/analysis/1346190931/

Hi Pondus,

Thanks for digging this info up for us,

polonus

so it looks as if you dont take the bait and download that fake flash update it will still push the same zbot in behind your back

Hi Pondus,

Reason the more access should be blocked, don’t you think so?

polonus