Hidden iFrame destination down?

polonus · March 4, 2014, 10:19pm

See: http://killmalware.com/fsy.me/#
Verified clean: http://sitecheck.sucuri.net/scanner/?scan=http%3A%2F%2Ffsy.me
Given as benign: http://zulu.zscaler.com/submission/show/5425c2a7a89441f93bbfab291b704ccb-1393970554
See IP info: https://www.virustotal.com/nl/ip-address/54.248.125.234/information/
This is an interesting scan: http://urlquery.net/report.php?id=9770457 IDS alert for Detected Neutrino exploit kit URL pattern
going to wXw.lofter.com → http://jsunpack.jeek.org/?report=b3da5cfa026db91b5a298b37737461f64fdccb11
Fraud and scam: http://www.malwareurl.com/ns_listing.php?ns=f1g1ns1.dnspod.net

pol

Pondus · March 4, 2014, 10:27pm

Unmaskparasites http://www.UnmaskParasites.com/security-report/?page=fsy.me

no html detection
https://www.virustotal.com/en/file/cd754bf9b75a4f192495999389c77503a25c73449b58111224511d3c20a45556/analysis/1393971779/

urlQuery now http://urlquery.net/report.php?id=9770596
earlier today 2014-03-04 23:12:16 Detected Neutrino exploit kit URL pattern http://urlquery.net/report.php?id=9770457

Recent reports on same IP/ASN/Domain

polonus · March 4, 2014, 10:51pm

Hi Pondus,

Thanks for checking this for us all. We look a bit deeper then on what unmasked parasites is flagging.
Here we go.
Actually there are two suspicious scripts there:
http://jsunpack.jeek.org/?report=8669262b9aafa303961da9cdb7000deec9fec732
and
http://jsunpack.jeek.org/?report=5375e6dd0b64121ebafe2890c8ed866641032e98

Above given scripts seem to curve the bends a little.
Are they actually bad as we see it also here,
and I think we are entering the adware realm.

: hXtp://websniffer.mynetworkisrich.com/en/tools/websniffer-report/gudugroup.com/
Do not follow the advice to disable ABP on site! That is why I broke the link with hxtp!
See the anchor 私信 wXw.lofter.com/message/gudugroup with a no-follow.
The urlquery dot com scan flags the lofter dot com script also with a yellow.
And I see that avast! has not blocked htxp://tianbing.hk/ with a detected Neutrino exploit kit URL pattern
Site is infested: wXw.tianbing.hk,54.248.125.234,Criminals, according to http://www.kleissner.org/virustracker.html
that means that malware there is active and up.

polonus

Pondus · March 5, 2014, 8:19am

You where correct polonus

Checked by Norman lab and detection was added
fsy.me.htm: Redirector.NC

polonus · March 5, 2014, 9:57pm

Hi Pondus,

Reported to base,

pol

Hidden iFrame destination down?

Announcements