polonus
December 14, 2011, 10:50pm
1
This site, -http://kaspersky.ee is in Dr.Web malicious sites list!
See: http://urlquery.net/report.php?id=11916
See suspicious code there: -www.google-analytics.com/ga.js suspicious
[suspicious:2] (ipaddr:72.14.204.101) (script) -www.google-analytics.com/ga.js
status: (referer=kaspersky dot ee/)saved 32614 bytes 3f31577e302ac3a4836068cc4777677bf2677855
info: [decodingLevel=0] found JavaScript
suspicious: maxruntime exceeded 10 seconds (incomplete) 0 bytes
bad iFrame scanner results:
No zeroiframes detected!
Check took 1.50 seconds
(Level: 0) Url checked:
-http://kaspersky.ee
Zeroiframes detected on this site: 0
(Level: 1) Url checked: (script source)
-http://kaspersky.ee/templates/kaspersky_ee/js/dynapi.js
Zeroiframes detected on this site: 0
(Level: 2) Url checked: (script source)
-http://kaspersky.ee/templates/kaspersky_ee/js/path_to_script/dhtmlapi.js
Blank page / could not connect
(Level: 1) Url checked: (script source)
-http://kaspersky.ee/templates/kaspersky_ee/js/func.js
Zeroiframes detected on this site: 0
(Level: 1) Url checked: (script source)
-http://kaspersky.ee/templates/kaspersky_ee/js/stm31.js
Zeroiframes detected on this site: 0
(Level: 1) Url checked: (script source)
-http://kaspersky.ee///mc.yandex.ru/metrika/watch_visor.js
Blank page / could not connect
polonus
Donovan
December 14, 2011, 11:55pm
2
Hosts a link to hxxp://3dnews.ee.
VT Results: http://www.virustotal.com/file-scan/report.html?id=a6e0b36e80056c870b9b75dc0111e0ec1acfd48ccca7f7519bb80543581d214c-1323904048
I explored this (3dnews.ee) site’s coding and it hosts links to other sites that host links to other sites. They also have a loaded javascript file on the homepage.
Isn’t google-analytics.com/ga.js the Google tracking javascript?
polonus
December 15, 2011, 12:36am
3
Hi Donovansrb10,
Thanks for delving further into that and the heads-up on the issue. Also good thing avast(&Gdata) is the only one to flag it as JS:Downloader-AXK [Trj],
polonus
system
December 15, 2011, 12:40am
4
Im also using DNS/Norton on the router and it allowed the traffic.
polonus
December 15, 2011, 12:47am
6
Hi razoreqx,
That is why it should be blacklisted, well DrWeb already has put it on the malicious sites list, as they apparently know that part of the malware theater,. Malware links from ip 92.62.98.10 are probably all dead now. Site served up PHP/BackDoor.AR, PHP.Agent-4, and unknown_html_RFI,
@donovansrb10 -http://3dnews.ee redirects to -http://www.3dnews.ee/est/
polonus
system
December 15, 2011, 1:08am
7
Hi razoreqx,
That is why it should be blacklisted, well DrWeb already has put it on the malicious sites list, as they apparently know that part of the malware theater,. Malware links from ip 92.62.98.10 are probably all dead now. Site served up PHP/BackDoor.AR, PHP.Agent-4, and unknown_html_RFI,
polonus
Found the same in my VM as well… I reported that up to DNS/norton as well.
Nice find btw