Sucuri and nvidia.com

Donovan · February 26, 2014, 10:25pm

I see. Thanks for the info.

Regards,
~!Donovan

polonus · February 26, 2014, 11:16pm

Hi !Donovan,

And you for informing me. More than ever now we have to be aware of server and DNS hick-ups and insecurities as a background for malicious activity.
Malcreations are no longer performed by advanced script kiddies, but by refined malcode expert strategists with an evil intent,
using all the tricks from the book and beyond. We have grim and real apt opponents from the dark side.

polonus

system · February 27, 2014, 9:04am

Nvidia replied to me that the redirect is a false positive. But im getting more and more confused tbh

So the home.js is okay, as stated by !donovan and nvidia, so the sucuri alert is false.

But now we have this doubleclick thing mentioned by pol which sucuri doesnt mention at all. As doubleclick is not only used by nvidia, every site that uses it would be infected, amiright?

In the end i just wanna know if its safe to visit nvidia.com

Thank you very much!

polonus · February 27, 2014, 1:13pm

That address is Ghosted. Delegation not found at parent.

I think you are at least secure. Google is always soon to clean up their act.
Somewhat more info here.
No delegation could be found at the parent, making your zone unreachable from the Internet.
I get a bad request for that Floodlight server: HTTP/1.0 400 Bad Request
Content-Type: text/html; charset=UTF-8 not follow redirect to htxp://www.google.com (not a public page)
Not enough nameserver information was found to test the zone 3773406.fls.doubleclick.net, but an IP address lookup succeeded in spite of that.
See: http://www.domaincrawler.com/173.194.40.251
Check here: https://forms.fbi.gov/check-to-see-if-your-computer-is-using-rogue-DNS → http://www.dns-ok.us/ ->The Exclusion Zone Правда субъективно
(because I am located inside Europe, so outside US) but I get this confirmed from FBI → Your IP is not configured to use the rogue DNS servers.

polonus

Secondmineboy · February 27, 2014, 1:17pm

What do you mean with FBI ,pol?

polonus · February 27, 2014, 1:32pm

Hi Steven Winderlich,

Just this check site from that institution against DNS Changer malware: https://forms.fbi.gov/check-to-see-if-your-computer-is-using-rogue-DNS#googtrans(nl)
where you can check that you haven’t become a victim of ghosted DNS manipulation (so-called rogue DNS servers) -
fill out your IP and click check your DNS. When OK you see: Your IP is not configured to use the rogue DNS servers.
courtesy of the Federal Bureau of Investigation.
For Germany check here: http://www.dns-ok.de/ German
Bundeskriminalamt (BKA) Bundesamt für Sicherheit in der Informationstechnik (BSI)

polonus

Secondmineboy · February 27, 2014, 1:46pm

You could have thought about an other FBI there And there is a checking site for emails from the Bsi, there were so many people back a few weeks ago that their server crashed.

system · February 27, 2014, 1:48pm

So let me (try to) summarize:

The sucuri alert is wrong, confirmed by nvidia and donavan.

There is a hidden iframe on nvidia.com which points to 3773406.fls.doubleclick.net. Only the fact that the iframe is hidden makes it suspicious for several av engines (see maldb results). But in fact 3773406.fls.doubleclick.net is clean:

http://wepawet.iseclab.org/view.php?hash=19f5c67e311eeaa8e045c49e23772514&t=1393507441&type=js

So is Avast atm actually blocking nvidia.com or not? I can’t try, cause im instantly redirected (if i just knew )

polonus · February 27, 2014, 1:57pm

Hi Ijkoy,

I can assure you that the site is not been blocked by avast at this moment, users can normally visit: http://www.nvidia.com/page/home.html
Content (encoded: 6.40 KiB / decoded: 26.30 KiB)

polonus

system · February 27, 2014, 2:02pm

But what about the maldb results you postet?

See how it is being detected now: http://maldb.com/www.nvidia.com/# AvastHTML:Iframe-inf VIPREHeur.HTML.MalIFrame (v) NormanIframer.AU SophosMal/Iframe-V GDataHTML:Iframe-inf ESET-NOD32HTML/Iframe.B.Gen

Thank you btw for your ongoing support

polonus · February 27, 2014, 6:32pm

Hi Ijkoy,

Well the ongoing asp.net server insecurities are still there,
according to: https://asafaweb.com/Scan?Url=www.nvidia.com%2Fpage%2Fhome.html
but that does not make that uri malicious per se, see: https://www.virustotal.com/nl/url/492dc9e1dedb0ce1fecc5963baf82a07911ae820748e3704fd05b4f2d89595b2/analysis/
But those responsible for hosting that site could do a far better job to secure/harden their servers against such mentioned insecurities

See: http://urlquery.net/report.php?id=9691915
But there is still malware being launched from other domains on that same IP:
Recent reports on same IP/ASN/Domain (filemagic IDS alerts on downloads)
and this IDS alert for ETPRO WEB_CLIENT Microsoft Internet Explorer remote code execution via option element
see; http://urlquery.net/report.php?id=9692088
So PowerTech Information Systems AS should not turn a blind eye to this abuse.

Been there before for this IP see: http://forum.avast.com/index.php?topic=137534.0

Yours are possibly cached results from Thu Feb 27 19:57:25 2014.
Furthermore we conclude that there was suspicious/malicious code found, but there were no malicious redirects given.

There are no suspicious redirects found. → http://zulu.zscaler.com/submission/show/62add027141778238aab5b8596008a0e-1393525056
See where the initial maldbresults stemmed from: http://evuln.com/tools/malware-scanner/www.nvidia.com/
See for advice: http://sitecheck2.sucuri.net/results/3773406.fls.doubleclick.net#sitecheck-details (their service is not free)

polonus

Sucuri and nvidia.com

Announcements