Why Avast does not block this alive spybot worm as a malicious URL??[Solved]

see: http://zulu.zscaler.com/submission/show/bee700ca8cb020f8f0547851aa455b04-1346683071
and: http://www.virustotal.com/file/dddaa9df73a942b380e2fde5228872fece5bdc5636db955ba812c9b8e790b234/analysis/

though this might be quite old:
First seen by VirusTotal
2009-11-12 11:05:42 UTC ( 2 years, 9 months ago )

its a live threat and we dont have a network shield block here… :frowning:

There are actually three malware urls that spread active malware from there:
This one caught by avast: https://www.virustotal.com/file/917339435a463b5a3395665080bfd18212566b2597659fe0cc49b6ee579ea26e/analysis/
This one caught by avast: https://www.virustotal.com/file/65d483787e96f7ed29d9f5034362f67e46bfe4228110bd81299cb17fdcc60524/analysis/
and this one, also caught by avast: https://www.virustotal.com/file/78a85e1415dbb27f3c3756354da40cf6e18b97c08a1e9e46f6cce49d97a8047a/analysis/
The remainder has been closed or are dead malware…longest one on was for 629.8 hrs.
See for detection of the executable you give: http://f.virscan.org/rmfixit.exe.html
See: https://www.virustotal.com/file/dddaa9df73a942b380e2fde5228872fece5bdc5636db955ba812c9b8e790b234/analysis/
DrWeb has an excellent detection rate for this one…
Must be a golden oldie: http://www.threatexpert.com/report.aspx?md5=f1ba3866e0fbce5329283f16aa739c23
But the probable reason why avast does not flag it, is that it is a PUP detection.
Probably when run avast will alert to it as a PUP,

polonus

Hi Pol,
I guess it practically useless to detect this very old malware with signatures…A URL block is better IMO :slight_smile:

Hi true indian,

You are beginning to amaze me, an IP block proposition for an online-payment site? Good for some Chinese animosity I guess!
Good you editted that suggestion out, the second suggestion won’t work either.
Better if they do a clean up there at that server , and they can, as some malware was closed after 45 minutes.
Here the Anubis Analysis of the alleged malware you reported: http://anubis.iseclab.org/?action=result&task_id=1468c0c0437c4a0b4f1b82842f7edbf3f&format=html
Has a file handle leak in \​comctl32.dll, heap corruption by string destructor in ​MSVCR80.dll, error that comes with \Framework\v4.0.30319\mscoreei.dll,
Neosploit code in shell folders…
This sets it out as bein a PUP: HKLM\​Software\​Classes\​CLSID\​{dd313e04-feff-11d1-8ecd-0000f87a470c}\​InProcServer32
Oh and here is the Autonomous System mug report:
AS Name: CHINANET-BACKBONE No.31,Jin-rong Street
IPs allocated: 113033184
Blacklisted URLs: 12195

Hosts…
…malicious URLs? Yes
…badware? Yes
…botnet C&C servers? Yes
…exploit servers? No
…Zeus botnet servers? Yes
…Current Events? Yes

polonus

Hi true indian,

Next time establish the facts before posting, please.
Anyway the request did not return any content with a file viewer in the browser…so it must be blocked,
and yes when you download it you get an avast alert- download seems to be dangerous.
So we are being protected.

polonus

Pol,
I meant a URL block as i specified in previous post not a IP block… :wink:

Probably you mis-understood my statement.

Hi true indian,

How to do an URL block with 12195 blacklisted URLs. Do you see the practicality of it. And in the case of a PUP a sandbox alert accompanied with a red traffic sign seems a much better option. Those that want the PUP and know what they are up against and want to install it intentionally will go on with the download and run it, others will undo the download and go on without the PUP.
After considering the whole procedure, don’t you think that is not a far better proposition? I think I know the answer,

polonus

Yep! you are better than me in these fields my friend :wink: