URL protection not working ?

Hi,

I use Avast 7 Free updated with the most recent virus definitions.

Today i’ve surfed to a infected site and although Avast notified me the url was infected and in theory, blocked it, my machine was infected. As a TI guy, i could clean it up deleting some files. Then i surfed again to the same website and again, Avast told me the url was infected, blocked the access, but even this way, i was infected again.

It’s some kind of Windows 7 virus that updates MSConfig to start when you reboot.

So i cleaned up my system again.

I’d like to know why this happenned ; if Avast blocked the URL, why my machine was infected ?

The site in question is this below (i’ve separated with spaces to avoid clicking) ; be careful, it’s infected.

http : // www . phabrica . com . br

What should i need to really have a protection ?

Thanks !

Use a script blocker in your browser. (E.g.: FF with NoScript)
http://sitecheck.sucuri.net/results/www.phabrica.com.br
http://zulu.zscaler.com/submission/show/baca0aae3e119f8b51497e6fc074c7ce-1334772700 → See domain history…!!! ::slight_smile:

This means i can’t trust in Avast’s Web Shield ?

Sure you can trust the WS, a script blocker wouldn’t hurt as another layer of protection though. :wink:

VirusTotal
https://www.virustotal.com/file/c0fad58cefa61c45fa67338af82f124d6128193ecee03dbcb3796924f0705209/analysis/1334773276/

If i can trust th WS, why i was infected twice even with the shield active ? :slight_smile:

what detected the infection?
what was the malware name?
where was it found?

Here is the shield log :

URL : http: // www . phabrica . com . br/wp-content/themes/Phabrica/js/superfish.js|>{gzip}
Severity : High
Status : Threat:JS:Redirector-Om[Trj]
Action : Blocked

I’m surfing again to the site with a virtual machine with Windows XP. If i navigate to the site in my
original machine (Windows 7 Pro) , i will be infected again ; i’ve tested twice and twice i was infected.

What are your settings in WS…??
If it blocks the connection, there should be no infection.

so are you saying first avast web shield detect and block…then avast detect another file when scanning ?

OBS, and break the link above so it is not clickable

Avast blocks, but somehow , i get infected anyway. Maybe Avast is blocking one link but letting another pass, i’m not sure about what happens.

What i’m sure is i’ve tried twice to navigate to this site, and twice i got infected. I can tell because the virus put some .exe files in my c:\programdata and edit MSConfig to run itself when i restart. It even block Taskman and deleted all my shortcuts. It seems to be a Win7 specific infection.

As i TI guy, i could restore everything, and tried again to navigate to this site, and again, i was infected.

I would try again, but everytime it infects my computer, i loose a lot of time cleaning up things.

I have default actions, have not edited anything.

I can tell because the virus put some .exe files in my c:\programdata
can you upload this .exe file(s) to www.virustotal.com and post the scan link here when you have the result (if scanned before click rescan)

I can’t because i’ve deleted the file; to get it again, i’d have to get infected again…

  • Which avast!..?? (Free/Pro/IS)
  • Which version…??
  • OS…?? (32/64 Bit…? - which SP…?)

Avast 7.0.1426 Free
Windows 7 Pro 64bit

OK, thanks. I’ll try to get someone from the viruslab to take a look at this thread.

Edit: Outdated Java.

well, this is what wepawet say
http://wepawet.iseclab.org/view.php?hash=9e8b06dbe3a981b01e494e2950aa2d60&t=1334773515&type=js

Text Form of Oracle Java SE Critical Patch Update - February 2012 Risk Matrices
http://www.oracle.com/technetwork/topics/security/javacpufeb2012verbose-366319.html

[b]CVE-2012-0507[/b]
Vulnerability in the Java Runtime Environment component of Oracle Java SE (subcomponent: Concurrency). Supported versions that are affected are 7 Update 2 and before, 6 Update 30 and before and 5.0 Update 33 and before. Easily exploitable vulnerability allows successful unauthenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized update, insert or delete access to some Java Runtime Environment accessible data as well as read access to a subset of Java Runtime Environment accessible data and ability to cause a partial denial of service (partial DOS) of Java Runtime Environment. 

Note: Applies to client deployments of Java. This vulnerability can be exploited only through Untrusted Java Web Start applications and Untrusted Java applets. (Untrusted Java Web Start applications and untrusted applets run in the Java sandbox with limited privileges.).

CVSS Base Score 7.5 (Confidentiality, Integrity and Availability impacts). CVSS V2 Vector: (AV:N/AC:L/Au:N/C:P/I:P/A:P). (legend) [Advisory]

ESET Threat Blog - Blackhole, CVE-2012-0507 and Carberp
http://blog.eset.com/2012/03/30/blackhole-cve-2012-0507-and-carberp

so is your java updated ?

Does the PRO version has a better web shield or if i’ve infected with free, i would be with Pro as well ?

WS is the same in all products.