Is this site secure?

Viruses and worms
1

See: 653077 2012-10-27 bit dot ly 69.58.188.39 69.58.188.40 30060 30060 htxp://bit.ly/OtoduX on Live Badmaleweb
The location line in the header above has redirected the request to: htxp://www.socialsportnews.com/videoofday.php
Blacklisted here: http://www.siteadvisor.com/sites/socialsportnews.com
http://urlquery.net/report.php?id=260144 See IDS alert
OpenX ad server installed: htxp://banners.adcontrol.com/openx/www/delivery/
see: http://www.mywot.com/en/scorecard/banners.adcontrol.com

polonus

2

Hi Polonus,

I’d assume infected, given the domain map here: http://urlquery.net/domainmap.php?id=260144

The OpenX calls loadus.exelator, note the exe, which I find suspicious.

Also see this: http://answers.microsoft.com/en-us/protect/forum/mse-protect_scanning/what-is-loadusexelerator/2ee9a0c3-985f-e011-8dfc-68b599b31bf5

And this: http://support.clean-mx.de/clean-mx/view_evidence?e=old&id=1106549&table=viruses
A malware sample found on the site last year.
Notice the hidden image and the hidden iframe to hXtp://loadus.exelator.com/load/net.php?n=PGltZ…
The virustotal results returned nothing: https://www.virustotal.com/file/587b9b7abea55021e2d704bb23af4840b6bb00d9f3caa43c50dba22471bdfa38/analysis/
Note that however, these results are from last year.

There is also a hidden iframe on the site that leads to hXtp://view.atdmt.com/iaction/adoapn_AppNexusDemoActionTag_1
Then another that leads to "hXtp://cdn.turn.com/server/ddc.htm?uid=3551504531481064966&mktid=67&mpid=&fpid=-1&rnd=7010269045301605894&nu=y&sp=n&ctid=1
There is also a mention of a hidden div with the id of cw_td_8120488
Potential malware was found at hXtp://s0.2mdn.net/1384245, who is also the host of the swf file and most likely alerting the “FILEMAGIC Macromedia Flash data (compressed)” found on urlQuery.
Resource: http://wepawet.iseclab.org/view.php?hash=7b59c153a4aa915ef74cf1190a3c8d39&t=1351438980&type=js

So in summary, this site is blacklisted for a reason,

~!Donovan

3

Hi !Donovan,

Thank you for your analysis and report of this drive-by malware.
This is an interesting write up on loadus.exelator: http://www.techrepublic.com/blog/security/uncloaking-invisible-iframes/8282 by author Michael Kassner.
Summa summarum: There is no malware within the iframe itself, just a link to another
site that will attempt the exploit. And additionally know that NoScript extension in fx protects us against such drive-=by malware for Java malcode.
Creating errors from the Java Runtime Environment: as

EXCEPTION_ACCESS_VIOLATION (0xc0000005) at pc=0x7768de2d, pid=6960, tid=5736

So another reason to keep Java fully updated or run it on demand or de-activate it in the browser or even uninstall it (the last advice is not supported by avast officially, but some feel like this),

polonus