Why do I get a firekeeper warning here?

Hi malware fighters,

I tried to go here: http://sites.google.com/site/skywarnke/home/huna

=== Triggered rule ===
alert (msg:“The address you tried to access points to a Malware. Please visit http://www.malwarepatrol.net for more information”; url_content:“http://sites.google.com/”; reference:url,www.malwarepatrol.net; fid:141412; rev:20100704123354;)

=== Request URL ===
http://pmw90687.surfcanyon.com/queryReformulation?partner=wot&authCode=pmw90687&format=jsonp&callback=contentscript.callback1&q=htxp://sites.google.com/site/skywarnke/home/huna
“contentscript.callback1({ “data”: })”

Is this real or an FP?
Or is it because of this: http://www.unmaskparasites.com/web-page-options/?url=http%3A//www.gstatic.com/sites/p/6d2a73/system/js/jot_min_view__en.js
And specifically: httxp://sites.google.com/site/skywarnke/_/tz?jot.xtok=undefined&afjstz=wg-3Cr1g-78r1g-3Cr2g-78r6g-3Cr1g-78r1g-3Cr1 (What is this?) Apparently it is in GoogleChromium code: chrome://net-internals/
t=51622833: +URL_REQUEST_START [dt=0]
Recently completed requests (chrome://net-internals/urlrequest.recent)
http://dev.chromium.org/_/tz?jot.xtok=undefined&afjstz=wg0r1g-3Cr1g0r2g-3Cr6g0r1g-3Cr1g0r1

Here it is all found benign: http://jsunpack.jeek.org/dec/go?report=bcdd6d2eec14f7be366a713ff4ad8be6fba81194

polonus

URLVoid - hxxp://sites.google.com/site/skywarnke/home/huna

Report 2010-06-15 14:14:19 (GMT 1)
Website sites.google.com
Domain Hash 141924ecb471a6e0c70732bd329da5f5
IP Address 209.85.229.102 [SCAN]
IP Hostname ww-in-f102.1e100.net
IP Country US (United States)
AS Number 15169
AS Name GOOGLE - Google Inc.
Detections 2 / 18 (11 %)
Status SUSPICIOUS

Scanning site with: BrowserDefender CLEAN
Scanning site with: Finjan DETECTED
Scanning site with: Google Diagnostic CLEAN
Scanning site with: hpHosts CLEAN
Scanning site with: Malware Patrol DETECTED
Scanning site with: MalwareDomainList CLEAN
Scanning site with: McAfee SiteAdvisor CLEAN
Scanning site with: McAfee Trusted Source CLEAN
Scanning site with: MyWOT CLEAN
Scanning site with: Norton SafeWeb CLEAN
Scanning site with: ParetoLogic URL Clearing House CLEAN
Scanning site with: PhishTank CLEAN
Scanning site with: SURBL CLEAN
Scanning site with: Threat Log CLEAN
Scanning site with: TrendMicro Web Reputation CLEAN
Scanning site with: URIBL CLEAN
Scanning site with: Web Security Guard CLEAN
Scanning site with: ZeuS Tracker CLEAN

NoVirusThanks - CLEAN
http://scanner.novirusthanks.org/analysis/2997a9d37ff8e72de50ae5cda20754f7/aHVuYQ==/

Hi Pondus,

Funny at the finjan URL checker it now comes as: “The requested URL was analyzed and found legitimate.”

polonus

Hello,

From what I have found, Malwaredomainlist guys have added “sites.google.com” into their host lists which should be blocked. You can check it here : http://www.malwaredomainlist.com/hostslist/hosts.txt

So it is not particularly about hxxp://sites.google.com/site/skywarnke/home/huna but in general sites.google.com

And Firekeeper uses mdl’s block list.

nmb

Hi nmb,

Good analysis, my friend, yes this is the list in firekeeper: Malware Patrol block list… from malware.com.br
Maybe you could make a list to use there for new threats, do you know how the rules syntax is: http://firekeeper.mozdev.org/rule_syntax.html (like Snort’s but different) example: http://firekeeper.mozdev.org/default_rules.txt

Give in this into the search box:
And see it blocked as:
=== Triggered rule ===
alert(url_content:“%3CSCRIPT”; nocase; msg:“ tags GET request cross site scripting attempt”; url_re:“/%3Cscript.*%3E/i”; reference:url,http://ha.ckers.org/xss.html; reference:url,http://en.wikipedia.org/wiki/Cross-site_scripting;)

=== Request URL ===
http://www.google.com/search?hl=en&q=<script>hxxp%3A%2F%2Ffeed.peakclick.com%2Fres.php%3Fpin%3Dd0..67%26id%3D1%26keyword%3Disc%26num%3D3+%26utf%3D1%26ref%3Dhxxp%3A%2F%2Foriginal_site<%2Fscript>&btnG=Search

polonus

Yes,

Firekeeper uses malware.com.br’s list. And it has sites.google.com.

Thanks for the rule tut. :wink:

nmb