HTML:RedirME-inf [trj]

When I visit the site - hxxp://naijalatest.net/birds.php (“tt” changed to “xx” to prevent clicks) - I get a trojan warning popup from avast:

http://novelhost.net/trojan.jpg

However, after visiting some of the blacklist sites (like URLvoid.com), I see no listing of this site being blacklisted. If this is a false-positive, what has to be done to remove the page from the avast blockages? Or, if it’s a genuine blacklisted site, upon whose authority was it blacklisted (URL, please)?

Regards,
Alec

Hi AlecWest,

First, please change http:// to hXtp:// in your previous post to avoid accidental clicks.

A site that isn’t blacklisted does not make it not malicious.

The detection is indeed correct; there is a server redirect. See: http://urlquery.net/report.php?id=2211430

~!Donovan

By the same token, a server redirect does not necessarily make a site (or the redirected site) toxic.

So, avast will flag a site, merely because it redirects to another site? Perhaps I’m missing something. My inquiry here is based on the fact that (at least) two people I know have visited the site and it was not blocked by their antivirus software … nor have their computers been compromised in any way that their antivirus software can detect.

Regards,
Alec

Telling you of the server redirect relates to the warning given by avast.

If you scan the redirected url with URLVoid, you’ll see that it’s blacklisted.
http://www.urlvoid.com/scan/com-businesstimesblog.net/

The redirect pattern is as follows: indexer.php?a=[6 digits]&c=jobcpc&s=hr

~!Donovan

Hmm. 1 database (spamhaus.org) shows it blacklisted, the other 30 databases do not. So, avast blocks a site based on the say-so of 1 out of 31 databases? I’m not saying this blockage was unwise. But spamhaus.org has been known to be “heavy-handed” in the past in adding sites they don’t like to their database. I suspect that, in part, that’s why the hacking group “Anonymous” subjected them to DDOS attacks last month.

Thanks for your replies, though.

Regards,
Alec

AFAIK, avast! software does not rely on any specific blacklist.

~!Donovan

But according to the link you provided me in your last post, and out of the 31 databases listed, only spamhaus.org’s database had them blacklisted. Was there another factor used by avast in determining that the site should be blocked? BTW, if you don’t recall, spamhaus.org listed “Amazon.com” on one of their 2010 blacklists (sigh). It was later discovered to be a false-positive.

Regards,
Alec

This would be funny if it wasn’t so sad. This morning, I received an email from avast! support. It had this subject line (“xx” substituted for “tt” to block link):

And, their message to me read as follows:

avast!: Message body was removed because it contained a virus.

Yup, hehe, either support sent me a message that included a virus … or the nature of their message referred to a false-positive that avast! “still” considers toxic. So, whatever avast! support wanted to say to me was lost due to (ahem) avast! sending it into quarantine.

Oh, well. They tried. 8)

Regards,
Alec

Report to virus analysts.

detection seems to be correct – there is redirection to “com-businesstimesblog.net” which is blocked.

Thanks Milos.

I just did. But this is apparently not a “Trojan Horse” problem. It’s the way “avast!” alerts customers that the referred site is considered a fraudulent site. And this issue has been talked about as an “avast!” problem since 2011. For example:

http://forums.majorgeeks.com/showthread.php?t=235875
…and…
http://www.bleepingcomputer.com/forums/t/390551/htmlredirmeinf-trj/

In any case, I just asked support to close their support ticket. I got a repeat of their May 2nd email - which I couldn’t read either because “avast!” (on my computer) blocked ITS OWN EMAIL - sending it to the virus vault.

Regards,
Alec

I get the same “virus” detection on the domain: http://www.hopper.pw which is a well known reputable website. Here is a scan on virustotal

Why is this still a false negative after years of false reports?!?

I see an IDS alert for 2014-12-12 21:34:17 2 urlQuery Client 185.21.103.153 ET INFO HTTP Request to a *.pw domain
There has been a raise in malcious .pw URLs being used in spam.
Read: http://www.domainregistration.com.au/news/2013/1305-pw-domain-spam.php
Not the .pw domain as such is mallicious it is where you land that is.
These domains are also abused for Nuclear Pack exploit kit .
Site has been compromised and is most probably harmful → http://sitecheck.sucuri.net/results/www.hopper.pw#sitecheck-details
Hosting report: http://w3bin.com/domain/hopper.pw
FAIL: Found differences between information provided by your authoritative name servers and glue provided by the parent name servers
& WARNING: Found stealth name servers:
ns.as-webservices.de.:
http://www.dnsinspect.com/hopper.pw/1418417178 hosted on a dedicated server: http://whois.domaintools.com/hopper.pw
avast also warns on: htxps://ipv4.www.hopper.pw/detectip/5h9if41c92gw6sasoqeidgyf1xy2d7el/

ISSUES → https://www.ssllabs.com/ssltest/analyze.html?d=hopper.pw
Vulnerable too Poodle attack viamagnific-popup/ code. Insecure and weak intermediate certificate.

Suspicious in code -hick-up:
netdna dot bootstrapcdn dot com/bootstrap/3.0.0/js/bootstrap.min.js benign
[nothing detected] (script) netdna.bootstrapcdn dot com/bootstrap/3.0.0/js/bootstrap.min.js
status: (referer=ipv4.wXw.hopper.pw/)saved 27726 bytes 75a42212affc118fef849aba4b9326a7da2acda1
info: [decodingLevel=0] found JavaScript
suspicious:
error: undefined variable head
info: [element] URL=api.github dot com/repos/asmaps/hopper dot pw?callback=callback
info: [1] no JavaScript

polonus

http://i.imgur.com/DOzkE8R.png

Hello

Tested the link is being blocked by kaspersky
as shown in

https://www.virustotal.com/en-gb/url/1a6d2553ec47deb068bad9052ceba1e1e54a759e4e75a74751e8a805ff02c01a/analysis/1453578921/

Detection is by KSN cloud

http://quttera.com/detailed_report/www.isumm.ro

hxxp://localtimes.info/wp_clock.php?country=Romania&province=&city=Baia+Mare&cp3_Hex=963939&cp2_Hex=&cp1_Hex=000000&hbg=1&ham=0&fwdt=150&widget_number=100

TLD Risk info 100

http://zulu.zscaler.com/submission/show/34605fb1d15eb063d0fff1e13318ee26-1453579844

The Domain is hosted DNS hijack

ns2.afraid.org
ns1.afraid.org
ns1.afraid.org
ns3.afraid.org
ns4.afraid.org
ns4.afraid.org

https://freedns.afraid.org/domain/dnstrace.php?domain=http%3A%2F%2Fwww.isumm.ro%2F&submit=Trace

I do not see any malicious activity on hopper.pw, so I am unblocking it now. :wink: