What malware is here?

Bitdefender is detecting this: hxtp://zulu.zscaler.com/submission/show/bc7235f3c5d1046129a09694fb0653fe-1336489832
See: htxp://hosts-file.net/?s=31.170.163.130
htxps://www.virustotal.com/url/3e6677d53f4b9fdd4923abf97a2d30dc8de88b3f6195bf6e4c6280a3fadc0458/analysis/1336490009/
many instances given here: htxps://www.virustotal.com/url/3e6677d53f4b9fdd4923abf97a2d30dc8de88b3f6195bf6e4c6280a3fadc0458/analysis/1336490009/
See IDS flag here: htxp://urlquery.net/report.php?id=52436
Malware found at that IP mdl_zeus v2 config file, PERL/IrcBot.GN, PUA.HTML.Infected.WebPage-1,
See: http://zulu.zscaler.com/submission/show/bc7235f3c5d1046129a09694fb0653fe-1336489832
and the redirect: hxtp://urlquery.net/report.php?id=32661 suspicious

polonus

This was in the IDS alert from the urlquery.net scan:
Suricata /w Emerging Threats
Timestamp Source IP Destination IP Alert
2012-05-08 17:15:31 31.170.163.130 urlQuery Client ET RBN Known Russian Business Network IP (204)
These alerts should always be checked. There are quite some safe hits, a lot of spam advertising going on,
and some material that could expose users to legal litigation (illegal music).
So some of these alerts are certainly no false positives,

polonus

Another example forms this IDS alert from aa urlquery.net scan Suricata /w Emerging Threats
Timestamp Source IP Destination IP Alert
2012-05-09 16:27:49 188.64.170.17 urlQuery Client ET RBN Known Russian Business Network IP (70)
Found on Live - Badmalweb: htxp://urlquery.net/report.php?id=52934
Suspicious obfuscated script download: htxp://zulu.zscaler.com/submission/show/7f65b3d64285813cde3240f378b32694-1336573641
flagged only by Bitdefender’s: htxps://www.virustotal.com/url/3a3703b891a82aea84164b633a315301a8ec2e143e2c1266d76ef50bc98dd38d/analysis/1336574137/
obfuscated script produced through Ol0.src = ‘htxp://api.myobfuscate.com/?getsrc=ok’
see: productsonline.us/09085E6Zy096.js benign
[nothing detected] productsonline dot us/09085E6Zy096.js
status: (referer=htxp:/twitter.com/trends/)saved 5679 bytes 6c566819cdffa95dce9292c895502adc2148d874
info: [decodingLevel=0] found JavaScript
error: undefined variable l0l
info: [decodingLevel=1] found JavaScript
info: [decodingLevel=2] found JavaScript
info: [decodingLevel=3] found JavaScript
suspicious:
Finally the IP has been identified as a known SpyEye ip:

polonus

Hi polonus :slight_smile:

htxp://www.mywot.com/en/scorecard/incognitorat.comuf.com

post from that site

Dareks67 05/08/2012 Malicious content, viruses

This site is engaged in malware distribution. The site is listed on hpHost.
http://hosts-file.net/?s=Browse&f=EMD
Scam site. "

Avgthreatlabs doesn’t like this site at all as it says

Surf with caution During the last 7 days potentially active threats were detected on a subdomain. However, no threats were detected on the main site.

htxp://www.avgthreatlabs.com/sitereports/domain/incognitorat.comuf.com/#analytics

Bitdefender reports it as

htxp://trafficlight.bitdefender.com/info?url=http://incognitorat.comuf.com

As Dareks67 says on mywot:

This site is engaged in malware distribution. The site is listed on hpHost.

Anthony :wink:

information from here:htxp://urlvoid.com/scan/incognitorat.comuf.com/

This proves that additional IDS alerts as come now with the implementation of Suricata /w Emerging Threats IDS will certainly add to threat detection.
This module has been added to the urlQuery.net scanner. This together with the added External Threat module brought to Zscaler Zulu URL Risk Analyzer
could mean that less will be able to pass under the detection radar. Live Badmalweb has more examples of malcode being spawned from that
particular IP. As this scan shows how many resources did not flag the threat there: htxp://urlvoid.com/scan/incognitorat.comuf.com/
we need the heads-up on this.
Users that plan to visit a certain site for the very first time should really pre-scan their destiny. Bitdefender TrafficLight, DrWeb’s online check,
the reall-time M86 Security Secure Browsing extension could be a start and known to have overlapping results.
That pre-scan could result in you staying one click away from malcode mishap. If users aren’t sure about some URL they come here and post a
non-click-through version of the link, so we can check it. Post like with hxtp or wXw to avoid the unaware can get infested,

polonus

The site looks like it was taken down? ???