viralvideos DOT 0RG redirect issue

History:
Running Vista, avast home version with latest definitions, Windows Defender, Windows Firewall on, current Firefox

Last night got a web sheild warning, possibly redirect from typosquatter on amazonDOTcm (not com, d’oh):
“Sign of “HTML:Iframe-inf” has been found in “hxxp://www.viralvideos.org/” file.”

Do an immediate disconnect, clear cache, cookies, etc.
Restart, run avast in safe mode, found nothing.
Install malwarebytes, run again (safemode), nothing found.
Look again at avast logs, which list the last two infections (the viral videos messages)-- am I really infected or were these blocked attempts at infections? I hate not having the option to quarantine anything.

Restart comp in normal mode, do some research to find out more about about this issue, and typing hxxp://www.viralvideos.org in firefox’s search bar 1)displays the desired search results then 2) triggers the same “Sign of…” message from web shield. So I repeat disconnect, safe-mode scan as above. This only happens when using google, my default search engine, off the build-it search bar. If I go straight to yahoo.com and use the search of their site, no redirect attempt.

I have never experienced this before. What’s going on? I’m downloading SAS now to run it after wrapping this post.

Related forum post (from another user, last month): http://forum.avast.com/index.php?topic=44500.0 ???

Hello heylo,

Firstly you should be safe, as you have clicked the ‘abort connection’ you have prevented the malware from downloading to your pc.

As for the website, I have looked at the source code and I haven’t seen anything really obvious, however my knowledge in this field is limited to the really obvious :stuck_out_tongue:
Maybe someone who is more experienced could have a look

This kind of detection is usually correct with the increasing number of web pages being hacked.

-Hope this helps,

-Scott-

EDIT:I think I have found it, an iframe linking to a malaysian website that is reported to contain malware:
http://www.mywot.com/en/scorecard/124.217.238.162%2Fcc.php

see the attached image, they have even tried to disguise it as a stat counter

Thanks for the quick response!

My lingering question is why did I get the third avast iframe warning from just entering the viral url in the firefox search field? Is something trying to redirect me on my computer?

EDIT: Tested it again, got same warning from entering said url in search field. I clicked abort and turned off my wifi connection immediately,like I thought I did last time…hmm. Worrisome.

I think this may be firefox’s pre-fetch function, the same thing happens to me and when I disabled it this alert doesn’t happen.
I think that the prefetch function pre-fetches the first search result from google

If you want to turn it off and try it for yourself:

-Open a new tab
-type “about:config” into the address bar (without quotes) [you will have to click the box that says you’ll be careful]
-in the filter bar type: “network.prefetch-next” (without quotes)
-right click the entry and click toggle

Now you can try the google search

Make sure you are careful within this config page, changing some values could prove troublesome

Hope this helps,

-Scott-

Hi heylo,

Avast prevented the malware to be downloaded onto your computer. Google security qualifies the page as suspicious through 1 hidden external link

Hey I was right, I’m getting better at this :stuck_out_tongue:
Thanks for confirming Polonus :slight_smile:

BTW what is the scanner that you use to produce all of that info?

-Scott-

polonus: Thanks for the google security info (I was trying to track that info down)
scott: Disabling the prefetch worked, I had no idea about toggling config settings, good to know.

Again, thanks for the fast responses!

No problem, glad to help :slight_smile:

Just be careful with the config page like I said :wink:

-Scott-

Related forum post (from another user, last month): http://forum.avast.com/index.php?topic=44500.0

Hi Heylo

I was the person who sent in the above post. From what I recall, I was alerted to the the redirect and aborted the connection. I cannot recall much of the detail, but the redirect took me through to viralvideos, it would seem. After quick clean-up, scan etc…I went back to look and everything seemed fine (from what I recall). I was new to the forum then and had never really involved myself in reporting alerts or infections before, preferring instead to exercise a deletion strategy on infected computers (I had a list of clients I did virus detection and removal for). Things have changed a bit now. And my computers are now all running very strong defense plans.

Where I said above that I went back, I think I went back as far as looking at the viralvideos site (would have been on a different PC (a ‘disposable’ PC) but then found nothing untoward, as I posted. Perhaps I took a different route in, or the other PC was configured differently, I don’t know. unfortunately I cannot remember what it was that initially redirected me to viralvideos site. These kinds of alerts are still not part of my field of expertise. But I have made note of your posts now in case something comes up in the future.

Regards.

Thank for this I was actually asking how to stop firefox from doing a pre-fetch on first search results a few weeks ago after I got hit by exactly the same problem the OP had.

No problem, glad it helps :slight_smile:

-Scott-

Oh I reread the thread. From what I recall, I typed the address of the front page of Facebook into my address bar - url facebook.com - and was immediately redirected to viralvideos. At the time my browser was Internet Explorer. Normally, back then, it would have been google search box as front page, but appears not to be so in this case.

I guess at the time, Facebook was being targeted by miscreants, but I still have no idea as to why and how this happened even with the added knowledge I have gained in this thread about prefetch. The page I went back to look at was front page of Facebook, and I found everything to be fine - with no redirect. I stayed clear of viralvideos.

Perhaps I may have been mistaken about a few of the details. But seemingly typed standard url address for Facebook into IE browser and was redirected to viralvideos. Still a bit dumbfounded about this. ???