Known malvertiser not flagged?

See: http://zulu.zscaler.com/submission/show/a352d544bd81e7fb43abe2e3bf05fee0-1346356118
See where we found the IDS alerts: http://urlquery.net/report.php?id=151978
Known BBot saved evidence of malcode GIF89a€ÿÿÿ!ù, Q now no longer responding…
Issues
1.

Flows belonging to different hosts:Date flow start Duration Proto Src IP Addr:Port Dst IP Addr:Port Packets Bytes Flows 2012-04-30 11:58:43.566 0.064 TCP 88.68.128.202:52333 -> 195.177.255.135:80 6 932 12012-04-30 11:58:43.694 0.704 TCP 208.115.111.73:41379 -> 195.177.254.134:80 13 909 12012-04-30 11:58:43.566 0.320 TCP 193.169.4.3:45853 -> 85.199.168.207:80 22 2058 12012-04-30 11:58:43.694 0.000 TCP 62.216.176.91:80 -> 217.7.17.165:54204 5 1328 12012-04-30 11:58:30.126 16.576 TCP 92.226.74.114:49961 -> 62.216.176.7:80 5 236 12012-04-30 11:58:43.566 3.264 TCP 62.216.176.8:80 -> 89.166.146.69:50138 31 39882 1
Quote Data from a Lecture by Sebastian Abt on "Selected Research in Network-based Malwareand Botnet Detection" 2. I get a WebKnight Application Firewall Alert for a look up on http://hosts-file.net/?s=62.216.176.7 IP does not resolve there... 3. See: http://www.scanurls.com/report/12588 (nothing out of the ordinairy given there) 4. Site puts Salfeld's Child Control into the registry as [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ksupmgr] benign as far a I am aware, heuristic finds for this, see: http://r.virscan.org/1a2786a5a4c3c4119c683eb220afdbde

That’s all for what it’s worth,

greets,

polonus

4. Site puts Salfeld's Child Control into the registry as [-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\ksupmgr] benign as far a I am aware, heuristic finds for this, see: http://r.virscan.org/1a2786a5a4c3c4119c683eb220afdbde
the virscan report is from 2010

Hi Pondus,

The virscan may be ancient, the malvertising is not (the IDS alerts from URLquery are very recent).
What I mean to say is that the malvertising through that site seems to go on, while the site seems to have a clean bill of health everywhere.
Well aside from the IDS alerts I cannot find anything up…
This is just what the modern malvertiser likes most, keep a low profile and cash in on malvertising or when found out, comply and open shop elsewhere to continue business as usual. This is the new business scheme, the “loud” malware has already been put aside a long time ago…

polonus