Nothing being detected by zuluZscaler: http://zulu.zscaler.com/submission/show/79c30f624418092b2e0f2e3d1497206d-1347371272
Alerted by urlnetquery dot net IDS alert: http://urlquery.net/report.php?id=173023
polonus
Nothing being detected by zuluZscaler: http://zulu.zscaler.com/submission/show/79c30f624418092b2e0f2e3d1497206d-1347371272
Alerted by urlnetquery dot net IDS alert: http://urlquery.net/report.php?id=173023
polonus
Hi Pondus,
Thanks a lot for confirming this status. I gave feedback to zuluZscaler for missing it…
Hope avast gets it, because I have been reported the js.js blackhole landing pattern already on August 25th last,
so they had ample time to add to detection…
zuluZscaler did not check for the landing at document.location=‘hxtp://173.255.221.74/tfvsfios6kebvras.php?r=baeqmk1my6mjqvwa’;
and when if I fed that manually there I got an all green, but it is 100/100 malware: http://urlquery.net/report.php?id=173038
So reported “Live Blackhole Exploit kit is being detected”, as DrWeb URL checker flags it as suspicious and now you got a McAfee detection verification.
polonus
Hi Polonus,
I also remember you posting about the double extension ‘.js.js’ threat in the past. Late 2011 or early 2012,
~!Donovan
Hi !Donovan,
Yes, my good friend, and as you query google for urlquery dot net scans and that particular pattern, you get quite some number of hits for Cutwail spambot infections.
Also look here: http://spamalysis.wordpress.com/ spamanalysis provided by author nightrover, who explains the inner workings of the known Cutwail spambot infection pattern…
Well and here also some valuable background info on this so-called “Incognito variant”: http://lists.emergingthreats.net/pipermail/emerging-sigs/2012-April/018758.html (poster Chris Wakelin), 8).
Sol if detections like these are being missed at least polonus and !Donovan cannot to be blamed for this ;D ,
polonus
link in first post - Norman lab - js.js - Redirector.FZ
link in reply #2 - Norman lab. tfvsfios6kebvras.php - Blacole.MZ