Why missed by so many scanners?

Viruses and worms
1

Flagged here: http://app.webinspector.com/public/reports/show_website?site=http%3A%2F%2Fwww.3gu.im
as infested with Trojans and suspicious code. Bitdefender and Fortinet block…
No flag: https://www.mywot.com/en/scorecard/3gu.im & http://sitecheck.sucuri.net/scanner/?scan=http%3A%2F%2Fwww.3gu.im
& http://killmalware.com/www.3gu.im/# & http://urlquery.net/report.php?id=1398785720661
& http://quttera.com/detailed_report/www.3gu.im

Badness history on IP: https://www.virustotal.com/nl/ip-address/94.23.235.204/information/

Has Pleskin been compromised because of htxp://3gu.im//pagead2.googlesyndication.com/pagead/show_ads.js/
Google Adsense installed: ca-pub-5510371891405740
404 Not Found
Content-Length: 303
Content-Type: text/html
clean
There is an external link to a PHISH: static.ak.fbcdn dot net

Found suspicious Javascript check: Suspicious
script type=“text/javascript”>document.write(unescape(“%3cscript src=%27htxp://s10.histats.com/js15.js%27 type=%27text/javascript%27%3e%3c/script%3e”)); <a href="http://w
GET /js15.js HTTP/1.1
Host: s10.histats dot com

This was flagged as trojan: wXw.3gu.im/lajmett/this-street-musician-was-tipped-by-a-girl-what-happened-next-blew- (…)
TrojWare.JSTrojanClicker.FbLikerA flagged.

polonus

2

VirusTotal
https://www.virustotal.com/nb/file/c68cd955e5454b2f9cf38b282a177a1714696467b6ef475dea848417bcfdcf61/analysis/1398787642/

jotti
http://virusscan.jotti.org/en/scanresult/78c9919cf90782aee6dae59654be475595554c59

Metascan
https://www.metascan-online.com/en/scanresult/file/9246b2d0164c4224bba9e593bfa8b7d1

3

Hi Pondus,

You are quite right, avast! Webshield detects site|{gzip} as JS:Cklickjack-H[Trj]
We are being protected!

pol

P.S. Read about that attack: http://javascript.info/tutorial/clickjacking link author = Ilya Kantor

4

I wonder why Kaspersky does not detect this? :o

5

Because Avast is better 8)

6

Hi Steven Winderlich,

avast! is very good in these respects. DrWeb also fails here.
Maybe the code to be detected was no longer available,
Kaspersky’s certainly knew about the malware and what code to look for,
see: http://forum.kaspersky.com/lofiversion/index.php/t55570.html

pol

7
Maybe the code to be detected was no longer available,
i just downloaded the code and scanned it 2014-04-29 16:07:22 UTC ( 38 minutter siden )

No AV have 100% detection … and soon KS will also detect

8

So they have to be aware and also those that secure websites: [quote]Clickjacking is easy to implement. As far as there is an action on your site that can be done with a single click - it may be clickjacked.[quote] quote taken from the summary of Ilya Kantor’s article - link given earlier.

pol