Trojan horse found on site, but given clean at URLVoid???

Hi malware fighters,

Malware here: htxp://jewellerybysally.com.au//administrator/components/com_virtuemart/2.txt???

Avast detects: PHP:Agent-L[trj]
Site given clean here:
Scanning site with: AMaDa CLEAN
Scanning site with: BrowserDefender UNRATED
Scanning site with: Finjan CLEAN
Scanning site with: Google Diagnostic CLEAN
Scanning site with: hpHosts CLEAN
Scanning site with: Malware Patrol CLEAN
Scanning site with: MalwareDomainList CLEAN
Scanning site with: MyWOT UNRATED
Scanning site with: Norton SafeWeb UNRATED
Scanning site with: ParetoLogic URL Clearing House CLEAN
Scanning site with: PhishTank CLEAN
Scanning site with: SURBL CLEAN
Scanning site with: Threat Log CLEAN
Scanning site with: TrendMicro Web Reputation CLEAN
Scanning site with: URIBL CLEAN
Scanning site with: Web Security Guard UNRATED
Scanning site with: ZeuS Tracker CLEAN

pol

Well that isn’t good for URLVoid with 34/40 detection on VT, mind you that isn’t doing any active scan as the so called txt page is in fact a PHP script.

http://www.virustotal.com/analisis/6d33c307220ed8a9d006931bec623fb376cf1e7c10b6367d8c5dba0d8deb4460-1278785176

Well, if URLVoid is so weak… why did I bookmarked it?
Seems I’m going to regret.

I Don’t really blame URLVoid as it is just collating all the other results and for the most part those other results are based on historical data and not an immediate malware related scan.

That is where avast is top of the heap with its web shield and URLVoid is just a tool to avoid having to visit all those sites…

Hi ye all,

Well I can say that two facts are right here: NoScript blocks them all and the avast shields are the best to have.
But you can not rely fully on reputation scanners, the results vary and URLVoid (is not bad really) but does not give all that are actually there from their resources, so I always check additionally with finjan (a real time scanner), DrWeb’s URL check (similar), but I hardly use that now because it isn’t scanning deep enough (sub-links), unmask parasites is a very good resource, but does not have them all, WOT and Norton Safe Web are dependent of what the users give in and what has been scanned. Norton Safe Web also give locations and malware definition, With Wepawet you have an indication, but have to click through there for the Anubis or VT results to be more accurate, Dasient is a source the others do not have (avast is checking them now, and also their twitter list), malware domains etc. are additional resources. Then for experts there is also jsunpack, a quick and dirty iFrame scan at the iFrame detektor, and checking out with malzilla, but I nowhere found a scanner for suspicious url that has the last word of the gospel for us, it is a question of combining, re-combining and also giving in the additional google search query to come at decisive results, (sometimes analyzing the very code), but we are getting better at it all the time,

polonus

Ok… We’re going to an arsenal when we can caught them only with avast…
I know, layered defense, second opinion…
But they’re always weak than avast… Finjan? Dr. Web? WOT? (I never used Norton check)… I trust with closed eyes on avast detection. Really. This is not fanboyism, just that the others aren’t adding anything in my opinion.

How do we know it isn’t a false positive?

It could be…
We need confirmation from avast team (or its correction in the new virus definitions update).
Just that, generally, avast is correct and adds detection before the others.

See reply #1…! :wink:
asyn

How did you run across that Damian? Does the Avast Web Scanner flag that file while you’re browsing htxp://jewellerybysally.com.au or were you using a dedicated site scanner to find it. Neither the Avast network shield nor the Firefox attack site scanner provided by stopbadware.org flag the site itself as malicious, so, even if that particular script is malware, it may be the case that the site isn’t using it to attack anyone.

BTW, just to stay on-topic. If it were possible, I would rely on reputation scanners even less than I rely on any AV or other blacklist-based scanner, but zero can’t be less than zero. :slight_smile:

I’ve notified the owner of the jewelery site that her site appears to have been hacked. Did someone else already do that?

Hi Alan Baxter,

No I did not, good you did.
Considering your earlier question to me…
Sometimes one stumbles on these finds while looking elsewhere, could be a sublink, could be other resources of paid for scanning services that are on the net (Dasient for instance, and for example succuri) and then you find as in this case that the avast shields are very good and reliable to a high extent, I open up a suspicious script with jsunpack (only use this online with NS active and preferably in a sandbox browser) and avast will block it and disconnect, then I can have a look with malzilla what is out there and present thee users here with a readable gif image of the code, made using PicPick software in my case. After that I start to do a further investigation on the code by feeding google with the first part of it (if it is safe enough to do so) to get a further read on what the code does and besides I have the help of a very bright coder here in the forums to give me a hand as well. So during this for me educational process I have come to the absolute conclusion that one needs the protection of NoScript running in the browser and have the avast shields up, it is just too bloody dangerous out there to ignore this message, just as shown in this case, one never knows where threats lures, and people that do not realize this, well I am not going into any discussion to convince them again, as I see it now they cannot be helped…

polonus

Hi malware fighters,

And what about this Polish site: atmar.com*pl
URLvoid only gives a WOT detection…
There definitely is malware there, see: http://wepawet.iseclab.org/view.php?hash=46931559b2ed46bda7aa20caeb21f933&t=1277795035&type=js
And see here: http://support.clean-mx.de/clean-mx/viruses?id=618629
and on the malware URL list: http://honeystats.info/malware
See the suspicious code as attached gif image

avast detects as Win32:VBMod

pol

The problem is that using these tools like URLVoid and those that it collates to detect ‘current active malware’ rather than a prior historic site check will never work.

As has been said of WOT before, its results are subjective as they are community based and shouldn’t be used as gospel. The same is true of these others as their analysis is effectively only good whilst the digital ink is still wet (e.g. when that check was done) and not weeks or months later.

Not to mention that most of them aren’t even doing the same sort of analysis as avast or hXXp://wepawet.iseclab.org, so we are into the comparing apples and oranges.

So these tools have to be used as a guide and not for total abeyance.

Seems URLVoid is always missing infected sites…

+1
asyn