I had written into avast! blog before I registered here.
I am a member of a Hungarian forum where we discuss about antivirus products (unfortunately, they don’t like avast). Few days ago, somebody put in the forum a link that Avira blocked. We saw the site, and only my avast! blocked it, Norton, Kaspersky, NOD32, Malwarebytes’ Anti-Malware, F-Secure didn’t. A guy sent the link to Avira, Avira analysed it, and answered: the site is clean.
But in avast! blog, somebody said me that the main site contains two malicious codes.
The site: http://www.cinober.hu/
Analysis from Virustotal’s link-analyser:
Firefox Clean site
Google Safebrowsing Clean site
Opera Clean site
ParetoLogic Clean site
Phishtank Clean site
Smartscreen Clean site
TRUSTe Clean site
Report 2010-09-02 17:52:04 (GMT 1)
Website cinober.hu
Domain Hash 60510bf1f60fd3fd6285a0e42c01b775
IP Address 212.40.96.85 [SCAN]
IP Hostname Kraeta.externet.hu
IP Country HU (Hungary)
AS Number 12594
AS Name EXTERNET-AS EXTERNET Autonomus System
Detections 1 / 17 (6 %)
Status SUSPICIOUS
Scanning site with: AMaDa CLEAN
Scanning site with: BrowserDefender UNRATED
Scanning site with: DNS-BH CLEAN
Scanning site with: Google Diagnostic CLEAN
Scanning site with: hpHosts UNRATED
Scanning site with: Malware Domain List CLEAN
Scanning site with: Malware Patrol CLEAN
Scanning site with: MyWOT SUSPICIOUS
Scanning site with: Norton SafeWeb CLEAN
Scanning site with: ParetoLogic URL Clearing House CLEAN
Scanning site with: PhishTank CLEAN
Scanning site with: SURBL CLEAN
Scanning site with: Threat Log CLEAN
Scanning site with: TrendMicro Web Reputation CLEAN
Scanning site with: URIBL CLEAN
Scanning site with: Web Security Guard UNRATED
Scanning site with: ZeuS Tracker CLEAN
It can’t be new. The comment was written in 30th of August in the Hungarian forum which I mentioned.
There are lots of malicious codes that usually known by LOTS OF antiviruses (30 or higher), and avast often doesn’t know them…
There is something very fishy about this page, first there is a huge chunk of obfuscated code at the start of the page, see image example, this goes on fro some way to the right and below.
Secondly there doesn’t appear to be any conventional HTML coding for the page, all of the content appears to be imported using another obfuscated script tag. See image2 all of this is on a single line, which I have broken down to make it easier to view in the image.
See image3 which is the obfuscated script tag (in image2) and it generates no less than 3 iframe tags with a 1X1 pixel width and height, trying to hide. So all in all highly suspect. the 79.135.152.181 IP address to which these iframes point is in Latvia.
You will never know if it is dangerous or not as what is at the end of the targeted IP 79.135.152.181 could change on a daily or more frequent basis. What is being detected here is the exploitation and not the malware at the other end of the attack.