Help needed understanding reports about potentially malicious site

Hello

I hope this is the right forum for the subject matter, otherwise, feel free to move it.

Yesterday when I wanted to go to google.dk, I accidentally mistyped the address and wrote gogole.dk. I was then taken to a mostly blank page with the site address creditcards.dk and the message: “Please click the following link if you are not automatically redirected in 5 seconds”. Nothing happened, but I panicked a bit and closed the tab.

I then typed gogole.dk again, thinking that any potential damage had already been done and perhaps I could glean some useful details to ensure my safety. This time the page, again named creditcards.dk consisted of a series of obscure links with names the likes of “gay sex” and such. Maybe it was different this time because the first visit had left cookies on the computer (four of them I think, after a reboot for other reasons I deleted them and the Firefox cache).

Some years ago I would probably not have thought much about the occasional misspelled addresses but I have grown increasingly nervous about web security lately. So I ran some webscanners, and I’m hoping some of the more learned people here can see from the results whether I have cause to worry or not. For the record I have run full scans with MBAM and Avast and found nothing. I use Vista 7 and Firefox 18.0 with NoScript and Adblock+, mostly with default settings (so NoScript isn’t set to block iframes although I believe they are sandboxed in the most recent version of Firefox).

Webscan results for gogole.dk:

http://wepawet.iseclab.org/view.php?hash=bc04cb1a2fe098720354c95568d68831&t=1358235407&type=js
http://quttera.com/detailed_report/gogole.dk

For creditcards.dk:

http://sitecheck.sucuri.net/results/creditcards.dk
http://quttera.com/detailed_report/creditcards.dk
https://www.virustotal.com/url/824313637aebc60e0c4a6f223b8fd8ef1864f83f2be9a6f156b8fb6d2b23f926/analysis/
http://wepawet.iseclab.org/view.php?hash=5ef128cad58ae4296a29d224c280ddbc&t=1358234597&type=js
http://www.siteadvisor.com/sites/creditcards.dk

For wxw.creditcards.dk:

http://sitecheck.sucuri.net/results/www.creditcards.dk
http://quttera.com/detailed_report/www.creditcards.dk
http://wepawet.iseclab.org/view.php?hash=a917bca32d37a67d205dad7b787f6767&t=1358238306&type=js

So, anything particularly dangerous considering I run with NoScript and Adblock+ and didn’t click any links?

I am willing to go through the process described in this forum’s sticky thread, but I’m hoping some of you guys could perhaps provide some sort of “malware probability rating” just based on the above. There is some interesting code in some of the reports that I think could provide some information, but unfortunately I don’t understand it myself.

As you use NoScript, you should be clean.

First, thanks for answering.

With Noscript with default settings and whitelist, I should be ok? This very long report just scared me a bit: http://wepawet.iseclab.org/view.php?hash=a917bca32d37a67d205dad7b787f6767&t=1358238306&type=js

Also, the first of the Quttera reports mentions suspicious behaviour, and the Virustotal report mentions the site as hosting CYSC.RED.CLICKFRAUD-1.

I’m also wondering whether there is a difference between the site as scanned by these webscanners, and the site as accessed with cookies. Like I mentioned, the second time I visited it (to check what scripts were running using Noscript, and inspect elements using Adblock, although not much of it made sense to me) , it looked different, I’m guessing because the first visit had placed cookies on my computer that identifies me as a repeat user of sorts. I suppose these webscanners just make a single visit. I don’t know if this makes a difference at all.

Note: this is primarily about wxw.creditcards.dk, which gogole.dk redirects to immediately (gogole.dk doesn’t even show in the history log).

  1. You’re welcome.
  2. Yes.
  3. Cookies are no threat, just clear them in your browser.

Ok. Just asking because google.com is in the default whitelist IIRC and there were som google.com scripts in the reports, but perhaps they were harmless search scripts. The scripts I do remember from hovering over the Noscript icon when visiting the site were dsulta.com, dsparking.com and (I think) domainparking.com, all of which were blocked. However other scripts, such as from google.com and also something called local.com, are mentioned in the last report I linked to, and in the Quttera report, googlesyndication.com and doubleclick.net. I don’t know why they would be in the report but not detected by Noscript. Anyway, I suppose they were blocked. Can you tell from the reports if there were any iframes to be worried about, regardless of the mention in the latest Firefox patch notes that they are sandboxed now?

Right, I was just thinking that maybe because of the cookies left from the first visit, at the second visit the site could detect my previous visit since it looked different, and maybe was a more malicious version. Now, not that it looked all that dangerous after all, just a collection of “don’t-click-me” links, but you never know if something is loading in the background right?

Thank you for your patience!

As said, with NoScript there’s nothing to worry about.

The reports you get from webawet, etc. are the unvarnished details of ‘its’ analysis, it isn’t browser dependant and won’t benefit from the likes of NoScript or any other browser add-ons.

The iframes, etc. would possibly have remote content and that would have to be imported and I believe NoScript would still give a degree of protection as it also monitors cross site scripting.

A more functional cross site scripting add-on is RequestPolicy in which nothing comes in from a 3rd party site unless you specifically allow it. RequestPolicy however, can be more hassle than NoScript as you have seen many sites have lots of 3rd party sites accessed.

First of all, I really appreciate your responses.

I checked the Firefox history log, and it seems I visited the site creditcards.dk four times in a row trying to see if there was anything dangerous there, but from you are saying, the number of times I visited or the length of the visits doesn’t matter much with NoScript, right?

Now, it seems I was wrong about Iframes being sandboxed in Firefox, I misread the patch notes. They just enabled the sandbox attribute for web developers as far as I can tell. Iframe blocking is disabled by default in NoScript and so, my fear is that something malicious could have been loaded this way. From what I’ve read, if Javascript/Java/Flash etc. are blocked, the chance of drive-by infections is extremely small, but still. Is there a way to “detect” if there are Iframes on the site, either from the reports I posted or using a specific tool?

The only thing that happened during the visits that I interacted with, was during the first visit a pop-up line just beneath the address field purporting to be from Adblock+ and asking if I wanted common misspellings to be automatically corrected, to be which I clicked yes, and during the second if I really meant gogole.dk or wanted it to be categorized as a misspelling and automatically replaced with google.dk, to which I clicked no.

Like I said, I appreciate your help, but is there anything further to do not requiring me to scan my computer with lots of different programs, but just scanning/analyzing the site (creditcards.dk, which gogole.dk redirects to)? And I know it’s asking a lot, but is there anything you can do to check it for me? To see if there is anything dangerous, if it would have been blocked by default NoScript, and if not, what the worst-case scenario would be (Virustotal mentions Clickfraud on the site, which I assume is less bad at least than Trojans and keyloggers)?

Thanks again.

Lets put it this way, if you have a suspect site, don’t push you luck in repeatedly going back to see if there is anything dangerous there (no matter if you have NoScript), you are playing Russian roulette and sooner or later there may be a bullet with your name on it.

If you are going to investigate possible malware/danger you need a lot more proactive protection.

All right. I only visited it four times in quick succession that one evening, and only so long as to check by hovering over the NoScript icon which scripts were running.

So I’m guessing it’d be wrong to ask one of you to investigate it? By the way, I hope you won’t mistake my lack of technical knowledge for laziness.

For now, I’ve run a full MBAM scan and Avast boot-time scan, with highest sensitivity, and found nothing. The MBAM is a trial version which someone here mentioned to me could possibly detect if there was any “phone-home” activity from my computer.

I’m guessing if you can’t investigate the matter or give me a 95% estimate or so of no danger, the only way to be sure is to go through the malware removal guide?

The main thing you have to trust in is your existing protection or you will give yourself an ulcer.

If the avast web shield didn’t alert: there is unlikely to be any active malware present on that page; the page/site is unlikely to have been hacked as the web shield is very hot on hacked sites.

If the network shield didn’t block the site then it isn’t on its current known malicious sites list.

If firefox didn’t alert on its safe browsing function or phishing sites function, these are all signs that at that time there was a very low possibility of it having been infected.

If avast and mbam scans have found nothing, it is a reasonable assumption that your system is clear. You also have to take into consideration how your system is running, e.g. is it doing anything out of the ordinary, like trying to connect to or being redirected to sites you weren’t visiting, etc. etc.

So in all honesty I can’t see the purpose in further investigation to prove a negative.

On gogole dot dk there is a conditional redirect there → the location line in the header above has redirected the request to: htxp://www.creditcards.dk

( If this redirect is not what you expected SEE: Conditional redirects. for some tips on clearing redirects.) as Quttera reported script going to: htxp://dsparking.com - see attached image…malcode probably wrought via a Joomla hack via .htaccess - redirect virus to a pay per click scam site, see web rep report: http://www.mywot.com/en/scorecard/dsparking.com?utm_source=addon&utm_content=popup-donuts
According to a report on VirusWatch the malware on the conditional redirect has been closed since 2012-08-12 01:20:42 after being active for 8 hrs.
Initially from cdn.dsultra dot com/favicon/etc. as seen by Phish viewer’s saved evidence real database (link not given)

polonus

The main thing you have to trust in is your existing protection or you will give yourself an ulcer.

I know I’m being a bit paranoid, thank you for your patience. Like I said, a couple of years ago I wouldn’t have given this sort of thing much notice.

The only thing I have experienced since that I though was odd, was a larger number of web shield scans than usual in the startup phase Tuesday evening. Normally, msftncsi.com/ncsi.txt will be the first to be scanned by the web shield, whereas this evening, I noticed it was number eight. As in, eight scannings at the time I looked at the web shield and msftncsi was the subject of the last performed scan. Since then, I made it so the web shield log will also show the scanned sites it has deemed malware-free, and upon checking the log for the last couple of days, which of course has already grown to a monstrous lenght, I haven’t noticed anything that seemed like a “false negative”.

Now, I don’t think the site has been hacked, just that it has been there for a malicious purpose all along, since it is obviously designed to take advantage of a misspelling of “google”. I’m just hoping it’s “only” a run-of-the-mill ad site with malicious links, and that if the site itself had a malicious payload, it would have been blocked.

http://vscan.novirusthanks.org/analysis/5cd43eaa2f411f0a42e468120ff39078/Y3JlZGl0Y2FyZHMtZGs=/

Some webscanners detect “HTML.Agent”, which according to some Google searches has to do with Iframes. But if I’m reading everything correctly, even if there was an unblocked Iframe, it would still have to get material from another site containing Script/Java/Flash exploits (I don’t even have Java or Flash in fact), which would then have been blocked by NoScript, am I right?

gogole.dk is what I typed, but it redirected immediately to creditcards.dk and doesn’t even show in the browser log of visited sites. So I’ve been focused on finding out what I can about creditcards.dk. I’m an intermediate user at best, but if I understand you right, I should stop being scared senseless of not being able to login everytime I go to my mail account? :-\

This is what creditcards.dk should look like now: http://urlquery.net/screenshot.php?id=740650
For me, it was just a plain-text collection of links in succession.

Well dsparking dot com is an URL blocked by spIDer Gate - reason: Known Infection Source…
URL is blocked by SpIDer Gate
hxtp://www.creditcards.dk/
Reason: Threat detected (JS.Redirector.175 - a DrWeb detection) for this threat see: http://forum.avast.com/index.php?topic=44728.0
We have to thank our forum member, Dim@rik, for the additional info above, I received from him,

polonus

@Dim@rik. Thanks you for confirming this for us…really appreciate this…

Damian

P.S.

With NoScript in the browser you see: Please click the following link if you are not automatically redirected in 5 seconds:

htxp://otn.dsparking dot com/?epl=wMDQHsDqrAMenCsqQOa7osA-mL8SJBROkdzFf87jYWRgjeqR5GdG4aqvD1uIgCpTAg4nfFOSsQRuPrFXLGF4mx6nLNzZSQsfilWPp9Y9RBpiJBuUDIE3qa5e-Hsb3dvEk0CJs9HIVM2E9ubvO1WeOgHInIMaNkKSZgSi534WiFjluATNiSeQ5Bwx1w6Jj2kLTdPh7YO5N5pMTIwaGKJBTI_0VMO0qQhqesqGmPRk0qap3lDTo5ph6qmnqYiUACAg_v-_sHDQkvLvCQEAQIDfCwAA-2D-SllTJllBMTZoWkK4AAAA8A

We apologize for the inconvenience.

NoScript saved your day there…

D

Exactly, that’s what I saw the first time. But - owing to my curiosity and need for reassurance - I typed gogole.dk again, and from my log I can see 4 visits to creditcards.dk within a very short period of time. The three following times, it was a plain-text list of obviously suspect links. Hovering over the NoScript icon these three visits, I remember seeing dsparking.com and dsultra.com as sites I could choose to allow (which I didn’t of course). I suspect the site looked different because the first visit had placed cookies on my computer which could identify me a previous visitor and generate different content based on this, but I don’t know.

Now, with that in mind, do you think these subsequent visits have put me in danger, everything else considered? I know I’m asking a lot… sorry!

EDIT: Doublepost, meant to click modify and instead quoted, how does one delete a post btw?

The duplicate (earlier post has been removed).

You were no more at risk on the subsequent visits than you were on the first and none resulted in an alert by avast. Nor did your subsequent scans find anything.

Sorry if I’m getting on your nerves. :-[

I appreciate that you all have taken the time to respond, I really do.

That last post to polonus was just because the other visits didn’t look like what he described, only the first one. Second till fourth visit the site was a collection of links, so I was worried I had “gotten through” to the malicious content. But I’m guessing if he doesn’t respond, he doesn’t think that’s relevant.

Hi Paradoxian,

There is nothing to worry for you in the realm of actual malware threatening you computer. Also NoScript is protecting you from undesirable javascript redirects. On the other hand the parked site is a pay per click fraud and also a phish. That is why I would stay away from domain parking sites as they are often being abused for such purposes…

polonus

So I shouldn’t be worried that the site looked different the second time? The site was still called “creditcards.dk” in the address field, but was a collection of a links to other sites instead of a single link. Was that a “parked site” I visited? I didn’t interact with anything of course except for the seemingly legit Adblock+ pop-ups…