Infected site not alerted...or just heuristic flag?

Hi malware fighters,

Malware here: hxtp://www.fabulart.es/fiestas_infantiles.htm
c:\documents and settings\user\local settings\temporary internet files\content.ie5\k3rvotvy\pompas1[1].gif

another drive-by-download: hxtp://www.fabulart.es/gif%20y%20flash/pompas1.gif
Trojan gifname heuristic find - is this real?

polonus

VirusTotal - fiestas_infantiles.htm - 0/41
http://www.virustotal.com/analisis/15bece03028cf5ac9d647b204863ade4e8b00bade14c11ee191355666bad6b8e-1274907974

VirusTotal - pompas1.gif - 2/41
http://www.virustotal.com/analisis/aae22a23df3c3d24bee261faaea2078cf40bf3c32a24694b70c881b74bc28a1b-1274907956

Hi Pondus,

Consider these analysis: http://www.threatexpert.com/report.aspx?md5=4bc97963aa56265260f613d9f211780a
and then this one as well:
http://www.threatexpert.com/report.aspx?md5=9a68f2d69db600e59fa046f04d6da847

pol

okay, I guess we got another case of Avast not doing its job ::slight_smile: …doesn’t sound too good…

if it is a gif with an iframe at the end, then it is benign afaik (it seems to be, regarding the VT analysis)…

depends where the iframe is going…

Hi Logos,

Tried to find that out via the bad iFrame checker:
No zeroiframes detected!
Check took 3.51 seconds

(Level: 0) Url checked:
htxp://www.fabulart.es/gif%20y%20flash/pompas1.gif
Zeroiframes detected on this site: 0
No ad codes identified

(Level: 1) Url checked: (iframe source)
htxp://adforce.imgis.com/?adiframe|2.0|34|136702|1|1|adforce;
Zeroiframes detected on this site: 0
No ad codes identified

(Level: 2) Url checked: (iframe source)
htxp://ads2.drivelinemedia.com/html.ng/params.richmedia=yes&group=park&cid=201384&position=footbanner1&sid=imgis.com&search=information+systems&adsize=728x90&supercat=other&cat=other&subcat=other&country=fi&domain=imgis.com&transactionid=3525775534176841057&city=null&st=null&bizcat=null&refine=null
Blank page / could not connect
No ad codes identified

(Level: 2) Url checked: (script source)
htxp://adforce.imgis.com//inc/homepage.js
Blank page / could not connect
No ad codes identified

(Level: 1) Url checked: (script source)
htxp://adforce.imgis.com/?addyn|2.0|34|136702|1|1|adforce;loc=700;
Zeroiframes detected on this site: 0
No ad codes identified

(Level: 2) Url checked: (iframe source)
htxp://ads2.drivelinemedia.com/html.ng/params.richmedia=yes&group=park&cid=201384&position=footbanner1&sid=imgis.com&search=information+systems&adsize=728x90&supercat=other&cat=other&subcat=other&country=fi&domain=imgis.com&transactionid=3525775548856840066&city=null&st=null&bizcat=null&refine=null
Blank page / could not connect
No ad codes identified

(Level: 2) Url checked: (script source)
htxp://adforce.imgis.com//inc/homepage.js
Blank page / could not connect
No ad codes identified

Then the attached code is at least suspicious to me, see: htxp://jsunpack.jeek.org/dec/go?report=227105a447255b7fa44fadb57890abae9dca0a55

polonus