Hello Forum friends. Today I was trying to play like a joke on somebody with a Rick Roll but the sites I usually use are blocked by avast! I always check these sites most of the time before I try to prank somebody with them.
Do you think this is a false positive?
Well I suspect that the rickroll page might have an example of the code. However further checking the home page redirects to the rickroll.html page (see image, content of rickroll.html page).
Avast isn’t alone in in finding that page suspect VirusTotal results page.
What were you doing poking your nose into wXw.20b.org ?
I just thought the site was just a normal rick rolling site didn’t know something was wrong with it or anything. :-\
Again what were you visiting hXXp://1227.com for ?
Curiosity killed the cat you know, that’s the thing you never know what the payload is going to be when you visit sites such as these.
There is a packed zipped file loaded when you visit that site, see image extract of the obfuscated/zipped content.
Whilst only avast, gdata and avg find anything wrong with this (that isn’t unusual), see VirusTotal results page.
URLVoid doesn’t like the site either, http://www.urlvoid.com/scan/1227.com
Hello,
JS:small-Q is correct detection.
Jan
Guys, I manage the site 1227.com and I honestly don’t believe the assessment is accurate. Can you explain to me how this assessment has been made? I’ve tried a variety of tools to see try to replicate your charge that a hidden zip file is being transferred but I don’t see it at all. If you could simply tell me what steps you have taken to come to this conclusion (e.g. a curl or wget command that would display the rogue request you speak of) I would be happy to admit there is an issue and take the steps to resolve it. Without this, I can’t agree that there is any malware being distributed by the site which seems to be the opinion of the vast majority of anti-malware detection tools out there (see the links below). I appreciate you taking the time to clarify your previous assertions.
Please make the links unclickable by changing the http to hxxp or something similar so that no one is able to click on these and become infected.
They are safe redirects they lead to norton safeweb and other sites like virustotal and norton safeweb (I checked them)