system
1
When I visit the site - hxxp://naijalatest.net/birds.php (“tt” changed to “xx” to prevent clicks) - I get a trojan warning popup from avast:
http://novelhost.net/trojan.jpg
However, after visiting some of the blacklist sites (like URLvoid.com), I see no listing of this site being blacklisted. If this is a false-positive, what has to be done to remove the page from the avast blockages? Or, if it’s a genuine blacklisted site, upon whose authority was it blacklisted (URL, please)?
Regards,
Alec
Hi AlecWest,
First, please change http:// to hXtp:// in your previous post to avoid accidental clicks.
A site that isn’t blacklisted does not make it not malicious.
The detection is indeed correct; there is a server redirect. See: http://urlquery.net/report.php?id=2211430
~!Donovan
system
3
By the same token, a server redirect does not necessarily make a site (or the redirected site) toxic.
So, avast will flag a site, merely because it redirects to another site? Perhaps I’m missing something. My inquiry here is based on the fact that (at least) two people I know have visited the site and it was not blocked by their antivirus software … nor have their computers been compromised in any way that their antivirus software can detect.
Regards,
Alec
Telling you of the server redirect relates to the warning given by avast.
If you scan the redirected url with URLVoid, you’ll see that it’s blacklisted.
http://www.urlvoid.com/scan/com-businesstimesblog.net/
The redirect pattern is as follows: indexer.php?a=[6 digits]&c=jobcpc&s=hr
~!Donovan
system
5
Hmm. 1 database (spamhaus.org) shows it blacklisted, the other 30 databases do not. So, avast blocks a site based on the say-so of 1 out of 31 databases? I’m not saying this blockage was unwise. But spamhaus.org has been known to be “heavy-handed” in the past in adding sites they don’t like to their database. I suspect that, in part, that’s why the hacking group “Anonymous” subjected them to DDOS attacks last month.
Thanks for your replies, though.
Regards,
Alec
AFAIK, avast! software does not rely on any specific blacklist.
~!Donovan
system
7
But according to the link you provided me in your last post, and out of the 31 databases listed, only spamhaus.org’s database had them blacklisted. Was there another factor used by avast in determining that the site should be blocked? BTW, if you don’t recall, spamhaus.org listed “Amazon.com” on one of their 2010 blacklists (sigh). It was later discovered to be a false-positive.
Regards,
Alec
This would be funny if it wasn’t so sad. This morning, I received an email from avast! support. It had this subject line (“xx” substituted for “tt” to block link):
And, their message to me read as follows:
avast!: Message body was removed because it contained a virus.
Yup, hehe, either support sent me a message that included a virus … or the nature of their message referred to a false-positive that avast! “still” considers toxic. So, whatever avast! support wanted to say to me was lost due to (ahem) avast! sending it into quarantine.
Oh, well. They tried. 8)
Regards,
Alec
Report to virus analysts.
detection seems to be correct – there is redirection to “com-businesstimesblog.net” which is blocked.
Thanks Milos.
I just did. But this is apparently not a “Trojan Horse” problem. It’s the way “avast!” alerts customers that the referred site is considered a fraudulent site. And this issue has been talked about as an “avast!” problem since 2011. For example:
http://forums.majorgeeks.com/showthread.php?t=235875
…and…
http://www.bleepingcomputer.com/forums/t/390551/htmlredirmeinf-trj/
In any case, I just asked support to close their support ticket. I got a repeat of their May 2nd email - which I couldn’t read either because “avast!” (on my computer) blocked ITS OWN EMAIL - sending it to the virus vault.
Regards,
Alec
system
11
I get the same “virus” detection on the domain: http://www.hopper.pw which is a well known reputable website. Here is a scan on virustotal
Why is this still a false negative after years of false reports?!?
polonus
12
I see an IDS alert for 2014-12-12 21:34:17 2 urlQuery Client 185.21.103.153 ET INFO HTTP Request to a *.pw domain
There has been a raise in malcious .pw URLs being used in spam.
Read: http://www.domainregistration.com.au/news/2013/1305-pw-domain-spam.php
Not the .pw domain as such is mallicious it is where you land that is.
These domains are also abused for Nuclear Pack exploit kit .
Site has been compromised and is most probably harmful → http://sitecheck.sucuri.net/results/www.hopper.pw#sitecheck-details
Hosting report: http://w3bin.com/domain/hopper.pw
FAIL: Found differences between information provided by your authoritative name servers and glue provided by the parent name servers
& WARNING: Found stealth name servers:
ns.as-webservices.de.:
→ http://www.dnsinspect.com/hopper.pw/1418417178 hosted on a dedicated server: http://whois.domaintools.com/hopper.pw
avast also warns on: htxps://ipv4.www.hopper.pw/detectip/5h9if41c92gw6sasoqeidgyf1xy2d7el/
ISSUES → https://www.ssllabs.com/ssltest/analyze.html?d=hopper.pw
Vulnerable too Poodle attack viamagnific-popup/ code. Insecure and weak intermediate certificate.
Suspicious in code -hick-up:
netdna dot bootstrapcdn dot com/bootstrap/3.0.0/js/bootstrap.min.js benign
[nothing detected] (script) netdna.bootstrapcdn dot com/bootstrap/3.0.0/js/bootstrap.min.js
status: (referer=ipv4.wXw.hopper.pw/)saved 27726 bytes 75a42212affc118fef849aba4b9326a7da2acda1
info: [decodingLevel=0] found JavaScript
suspicious:
error: undefined variable head
info: [element] URL=api.github dot com/repos/asmaps/hopper dot pw?callback=callback
info: [1] no JavaScript
polonus
HonzaZ
14
I do not see any malicious activity on hopper.pw, so I am unblocking it now. 