Where the avast shield beats normal avast detection..

Hi forum users,

To get an idea of the malware at this site see this Wepawet analysis: http://wepawet.iseclab.org/view.php?hash=82847082295d598b38c117f0a532fd9c&t=1305750098&type=js (or see attached)
Given benign there, it is not because of the script there (translates to ^iframe name=c10 src='-http:/g/) ,
and the hidden iFrame is a detection for HTML files that contain hidden iframe elements.
that attempt to perform malicious actions on the computer
-.-
But trying to scan the site at sucuri’s I got a JS:Packed-BA[Trj} flagged from the avast Webshield
-.-
SOS webscan found: We found 1 virus attack url(s) at this website.
htxp://thebestyoucanfind.cn:8080/ts/in.cgi?pepsi3
-.-
Site detected by Trend Micro Site Safety Center as dangerous
The site it links to is also dangerous, see: http://www.urlvoid.com/scan/gogo2me.net
Also read this write up on the Hidden Iframe Injection (article source: Unmasked Parasites Blog developer):
http://blog.unmaskparasites.com/2009/01/14/gogo2me-hidden-iframe-injection/

Here the VT detection of the link": http://www.virustotal.com/url-scan/report.html?id=82847082295d598b38c117f0a532fd9c-1305742380
and
VT file scan with avast’s detection as HTML:Illiframe: http://www.virustotal.com/file-scan/report.html?id=f5ee636d80a7990b84df0c64df74eaeafbf3361cbd4b8191696cd6552fe10aa9-1305750091 Team-CYMRU.org says 40% detected malware, see:
source: https://www.vicheck.ca/md5query.php?hash=ff22e089066d6452204347fe39ebd706

polonus

[OT]

Hi pol,
could you please post larger screenshots, the tiny ones (320x240) aren’t readable. :wink:
Thanks,
asyn

Hi Asyn,

Well the wepawet search link gave you the bigger picture anyway…

Another time where I was beaten by the Webshield was here:

Checking: htxp://mcinternational.ro

htxp://mcinternational.ro/Script.0 infected with JS.Redirector.64 DrWeb flag
htxp://mcinternational.ro/Script.1 infected with JS.Redirector.64 idem

htxp://mcinternational.ro/Script.10 infected with JS.Click.217 idem
htxp://mcinternational.ro/Script.11 infected with JS.Click.217 idem

When I tried to open the main site in jsunpack the disconnected on blocking the following Trojan Horse JS:Illredir-CJ[Trj]
same happened when trying to scan the malware link with http://sitecheck.sucuri.net/scanner/ Trojan Horse JS:Illredir-CJ[Trj]

See the VT scan: http://www.virustotal.com/file-scan/report.html?id=a401a820c01e83fe7ef636c5c15d44a02bbe21319425056734e36e52dffd7fd5-1305930093
where avast detects JS:IFrame-AQ

polonus

Hi polonus,

I have a question for you. What do you mean by “virtual machine?” (You typed, “…and use a virtual machine and be safe(r)!”) I feel kind of stupid asking, but I don’t know what a virtual machine is! :-X

Google is your friend, give it a whirl and search for virtual machine and you would have found this as the result at the top of the list, http://en.wikipedia.org/wiki/Virtual_machine.

Ohh! Thank you, DavidR!

I think I have an idea of what this is. Is it similar to the concept of “virtual keyboards” that certain sites have? -I know people that absolutely hate virtual keyboards. . but. . man, if I could use one daily for entering in passwords and sensitive info, I definitely would.

I know, but what’s the reason to post a screenshot then, anyway…??
Btw, I meant that for all of your screenshots, as they’re usually too small to read. :wink:
Thanks and please don’t be angry,
asyn

Not really it isn’t the same, but virtual would apply in that sense, the keyboard doesn’t physically exist.

Virtual Keyboards such as the windows On Screen Keyboard, Windows key + R and type OSK and you will see it. That however doesn’t stop some keyloggers from being able to capturing that input.

Ah, I see. I will keep reading about the virtual machine concept. From what I’ve read, I like where it’s going. I feel like a schmuck, 'cause I had no idea that one could run a Windows virtual keyboard; at first, I thought it sounded great, but then you said that it doesn’t stop some keyloggers. Given that the virtual keyboard doesn’t stop some keyloggers, would it be useless for me to use?

The avast SafeZone only in the avast Pro and AIS paid versions would protect against keyloggers when using on-line banking, private sites, etc. It gives an isolated desktop and uses a different dedicated browser (Chromium variant designed/modified by avast). It is this isolation that protects against keyloggers, etc.

I think I may invest in Avast Pro. :expressionless:

You won’t regret :slight_smile:

He will regret, as AIS is even better. :wink:

Caught me ;D

Did I win anything…? ;D

@Asyn,

I will try to crop the image contents better so the size fits the allowed size of the attachment, bit of a prob for me sometimes.

@lareinatortura

Sandboxing and using a VM always is a risky thing, where malware/suspicious content is concerned, malcode can get out, malcode can spill over and infect.
Always scan your “users” file fully with avast whenever using a sandboxed proggie/proxy like sandboxie/malzilla etc (so only for the security aware users, with ample script protection (script blockers)and even then with the utmost of care…

This is why so-called “cold” reconnaissance (non-direct-scanning through online scanners, looking up VT Md5 hashes and malware write-ups and online analyses are a by far more secure way of getting to this information.

A VM should be on a stand alone computer in special lab settings and not connecting to the Internet. Script protection helps a lot when looking up sites with jsunpack (only for the security aware and with loads of precautions taken - never give direct links there, only hxtp:etc.), these scans are for security aware users, and sometimes the avast shields will disconnect after you gave in the scan link. A VM might give unaware users even a false sense of security, so you should have control over script that runs or make it cannot run at all through script blocker (NotScripts/NoScript), requests that are being made (RequestPolicy blocking) and still I would prefer to get the info from a third party scanning like SOSWebScan, URLVoid, MonkeyWrench.de url scan, Wepawet, Anubis, the combined search-up via google, vicheck.ca md5hash query, malware domain query, iFrame scan, rather than opening up a suspicious url via malzilla.

And even then all this scanning is not for the unaware or the faint-hearted. Take care the best method is to just give in a suspicious link and never click and watch in the google result page and see where for instance what BitDefender Traffic Lights, webrep or analysis sites come up with, shun the reds or give in the url here:
http://online.us.drweb.com/?url=1 or http://www.webutation.net/go/review/
Well understand that you have to combine all sort of resources to get a full and complete picture of the security of the link at hand. What Norton Safe Web does not flag, unmasked parasites may alert to (all on URLVoid), what sucuri cannot find, Dasient might have a write-up on, what you do not find at Anubis, you may find at VT, etc. etc. And then the threat landscape is soon to change completely, malware domains are taken down even by the malcreants themselves, malcious IP’s are transmigrated. links are no longer up and obfuscation has renewed old malware “like with new wine but still in the old sacks”, so to say), new versions of the same malware may be created randomly etc. etc. malcreants are known to use every trick in the book and even those not earlier thought of…

Code is best being presented as gif image, and everybody that has read the above txt now knows why, and even script presented in another way without payload and partly given or munged can trigger an alert, well so much so far, do some hunting and find some nice resources, all to help better avast detection. Also you understand now that every questionable (probably suspicious or malicious) link should be presented in a way that the unaware cannot click on it and get infected, so - hxtp or -http or wXw etc.

polonus

Hi polonus,

Wow! That is a lot to take in all at once! I have saved the information you have given me in your previous post, with the intention of reading over it again. I want to become a more knowledgeable and responsible user. I think that every bit of information you have given me so far will eventually help me get to where I want to be.

Thank you! : )

Thanks, pol…!
I appreciate it. :slight_smile:
Have a nice sunday,
asyn