Okay, so, lop.com is a dangerous site, which i did not visit. However, my friend once tried to lookup the WHOIS information, and Avast! blocked it. We expiremented around, results:
We wonder whether this behaviour can be described somehow. Thanks.
Please, edit the example.org / lop.com link to not a live one.
Has been done.
Hi 13thSlayer,
Here one reads why: http://www.pc1news.com/virus/lop-com.html
General information
Location of website United Sates of America
A sample of found threats.
Report of threat
Totall of found threats: 10
Adware
Threats found: 4
Here follows a full list:
Name of threat: Adware.Lop
Location: hXtp://b30870.bins.lop.com/bins/int/7k11_pk2.int
Name of threat: Adware.Lop
Location: hxtp://r1234.bins.lop.com/bins/int/9kgen_up.int
Name of threat: Adware.Lop
Location: hxtp://r9849.bins.lop.com/bins/int/7k11_pk2.int
Name of threat: Adware.Lop
Location: hxtp://s20284.bins.lop.com/bins/int/7k11_pk2.int
Virus
Threats found: 1
Here a full list:
Name of threat: Downloader.Lop
Location: hxtp://lop.com/toolbar_uninstall.exe
Downloadprograms
Threats found: 5
Here is a full list:
Name of threat: Downloader
Location: hxtp://i31360.bins.lop.com/bins/int/upd_admn.int
Name of threat: Downloader
Location: hxtp://sk235lkg.bins.lop.com/bins/int/upAYB.int
Name of threat: Downloader
Location: hxtp://b30870.bins.lop.com/bins/int/upd_admn.int
Name of threat: Downloader
Location: htxp://bins.lop.com/bins/int/upAYB.int
Name of threat: Downloader
Location: hxtp://u12797.bins.lop.com/bins/int/9kgen_up.int
Enough to try and stay away, I would say certainly, for this is a malware haven,
polonus
P.S. Re: your question because from the one location it redirects to malcode (see reported URLs) and the redirect(s) decide on it being flagged or not…
Example: Well here I scanned one malicious address against the Petersburg scanners of DrWeb’s online URL scanner - and here are the results:
Checking: hxtp://bins.lop.com/bins/int/upAYB.int
Engine version: 5.0.1.12222
Total virus-finding records: 910667
File size: 276.00 KB
File MD5: 534c0176772d9660b30e6ef160d23999
hxtp://bins.lop.com/bins/int/upAYB.int infected with Trojan.Swizzor.based
Damian
You most likely don’t understand the problem. Neither urls (example.org/lop.com nor example.org/sometext/lop.com) exist, but one of them is blocked, while other is not… So this is just strange.
Hi 13thSlayer,
Then check either of the two addresses here: http://anubis.iseclab.org/
You can also check here: http://online.us.drweb.com/?url=1
and here:
Nice page with links here: http://www.anti-malvertising.com/sleuthing-tools-resources
Some of the ones I use: http://safeweb.norton.com/
http://linkscanner.explabs.com/linkscanner/default.aspx
http://www.mywot.com/en/scorecard/reclassify.url.trendmicro.com
http://www.finjan.com/Content.aspx?id=574
http://www.robtex.com/ and specifically
http://www.robtex.com/ip/xxx.xxxx.xxxx.xxxx.html#blacklists
Curious what kind of pattern you will find, there you may stumble upon an explanation…
more than like perimeter based how it is being translated - http://www.searchlores.org/correof.htm
other tools here: http://www.wdvl.com/Style/HTML/Validation/Links.html
polonus
I see:
http://hosts-file.net/?s=lop.com&x=33&y=6 <== bad
http://hosts-file.net/?s=example.org&x=30&y=7 <== good
Going directly to lop.com is blocked as it is a well known malware infected site.