Heuristic.BehavesLike.JS.Suspicious.G detected?

See: http://killmalware.com/681-beauty.com-cst.net/
PHISH and malware: https://www.virustotal.com/nl/url/8dee350dca6d4a98c118f5d9a21fc70998ebe1aaff8ff7831d4a72fa7d18b347/analysis/1432898003/
Detected at Sucuri’s → Known javascript malware. Details: http://labs.sucuri.net/db/malware/mwjs-iframe-injected530?v22
Blacklisted domain by ESET. PHP files - Stolen FTP password.
Code obfuscator: http://www.colddata.com/developers/online_tools/obfuscator.shtml → wbs creaor code…
Quttera fails to detect website. → http://www.domxssscanner.com/scan?url=http%3A%2F%2F681-beauty.com-cst.net%2Fintiwbd%2Fdeiwbd%2F - So when you create content via XSS on that page, you can access the functions in the .js file.  

polonus

Sucuri https://sitecheck.sucuri.net/results/681-beauty.com-cst.net/intiwbd/deiwbd/

deiwbd.htm
https://www.virustotal.com/nb/file/91cf90dccae8004db4a08ec6afa359ab0c9384b6d16bdfc2c13f00a789da7713/analysis/1432909406/

short url - hxxp://681-beauty.com-cst.net McAfee detect
https://www.virustotal.com/nb/file/f1afc89d3ae1728f0f7ebd597ff716f2185e167619a17fe307083d5ef2674cc2/analysis/1432909742/

Here is the alleged live and up malware, Pondus.
See: http://support.clean-mx.de/clean-mx/viruses.php?ip=91.221.67.94&sort=
on and alive for 593.9 hrs now. OVERDUE!
Seems not in namespace, which is suspicious: 999-healthandbeauty.com-eem.net,Not in namespace, Malformed Domain or IP.


OIO data -> Server IP(s):
213.163.64.84
158.255.3.35
213.163.64.85
158.255.3.34

=========================
HTTP headers: 

HTTP/1.1 200 OK
Server: nginx
Date: Fri, 29 May 2015 14:46:24 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 3283
Connection: close
X-Powered-By: PHP/5.3.28
Set-Cookie: AFFID=266107; expires=Sun, 28-Jun-2015 14:46:24 GMT; path=/; domain=.com-cst.net
Set-Cookie: SID=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/; domain=.com-cst.net 

Confirmed malicious URL: https://threatcenter.crdf.fr/?MoreDomains&ID=11870562

pol

McAfee is correct

F-Secure say

The file you sent was found to be malicious. We will be detecting the sample you submitted as Trojan.JS.Agent.JOP in the next database update.

Hi Pondus,

Good we have detection confirmed and so there is protection. Will Avast also detect?

polonus

Yup, we block com-cst.net since 21. 4.