avast doesnt block the vector URL [gulfoilspillsupport.com] but it blocks the css file from the site that is responsible for fake AV redirection…
so thats a very very early detection and prevention of the malware…yes avast does make a IP block for the fakescan IP and the .exe fakeAV download on the site is also detected…
Site with Wordpress backdooring…Blackhole IP & PHP malware IP. Malware,
JS:Trojan.JS.Dropper.D, at this particular site was closed:2012-07-02 13:42:37
I see: /css/Analytical-Testing-Services.css HTTP/1.1
Host: gulfoilspillsupport dot com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13
Accept: text/css,/;q=0.1
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Connection: keep-alive
Referer: htxp://gulfoilspillsupport.com/caspharma/
HTTP/1.1 301 Moved Permanently
X-Pingback: htxp://www.gulfoilspillsupport.com/xmlrpc.php (in xmlrpc.php there is the WP vulnerability)
XML-RPC server accepts POST requests only. (vulnerable to create hacked WordPress backdoors).
Well urlquery also produces IDS alerts for that site, denoting javascript anomalities.
WordPress could allow a remote authenticated attacker to bypass security restrictions, caused by improper validation by the xmlrpc.php script. A remote attacker with contributor permissions could exploit this vulnerability to publish posts to the Web site.
quote taken from Digging into WP from article author Jeff Starr.
