If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. |
|
|
Thread Tools | Rating: | Display Modes |
#31
|
|||
|
|||
Freeware to test a specific web site php URL for malware?
On Tue, 17 Sep 2013 19:56:12 +0000 (UTC)
jan wrote: On Tue, 17 Sep 2013 19:44:39 +0000, jan wrote: VirusTotal results were problematic because it didn't tell you that the primary URL redirected you to a secondary URL. Neither did the Google diagnostic scan. Luckily, the other two did. Given that, how does this look for our recommended Windows/Linux/Mac freeware sites to bookmark for future scanning of suspect URLs? (In priority order): 1. http://zulu.zscaler.com 2. http://wepawet.iseclab.org 3. https://www.virustotal.com/en-gb/#url 4. http://google.com/safebrowsing/diagn.../path/file.htm I would say just the first two, and then even take the results with a grain of salt. If I'm not mistaken, the VT one is expecting the URL to be a file to download and check for malware - not a URL to check out by rendering HTML, interpreting JavaScript, and following links. Also I'm under the impression that the Google one is a reputation based lookup table. |
Ads |
#32
|
|||
|
|||
Freeware to test a specific web site php URL for malware?
On Tue, 17 Sep 2013 16:15:06 -0400
"...winston" wrote: jan wrote: Is there a way to test a website for malware without going to it? Recently a family member had their mail account hijacked where an email was sent to all their contacts, including me, and it contained a link to the web site below: http colon slash slash aochi dot hideo dot perso dot neuf dot fr slash 876569 dot php Some of the family members actually clicked on the link, and found it to be a green-coffee bean advertisement, and then they asked *me* if it contained a virus. (The Mac & Windows users asked, not the Linux users.) I knew enough not to click on the site but now I need to know *how* to tell if the site contains malware. Is there freeware I can hand this URL to that will check it out for malware payloads? That 'Green coffee bean' ad has been floating around for some time across a bevy of different isp email addresses. Not all originate from the senders email address, some with forged headers, some from harvesting addresses from one of the faked sender's contacts (i.e. the sender may not be compromised but one of their contacts)...the list goes on. I also noticed a reference to a GPS locator function which seemed suspicious to me, but I have seen such ads using GPS to customize the ad to the visitor's location. For instance the old earn money now just like this person did (an address in your own home town) scam ad. |
#33
|
|||
|
|||
Freeware to test a specific web site php URL for malware?
On Tue, 17 Sep 2013 21:22:57 +0000, ~BD~ wrote:
You are mistaken, FTR - VT fulfils BOTH functions! https://www.virustotal.com/en-gb/#url It does. At first, with all scripts blocked, VT didn't even show the URL form; but once I unblocked scripts, the form came up for pasting in a URL. Still, VT wholly missed the redirect, so, it can be used as a backup (once you already know there is a redirect); but it can't be (reliably) used as a primary scan. |
#34
|
|||
|
|||
Freeware to test a specific web site php URL for malware?
On Tue, 17 Sep 2013 21:22:57 +0000 (UTC)
~BD~ wrote: FromTheRafters wrote: On Tue, 17 Sep 2013 18:50:08 +0000 (UTC) jan wrote: On Tue, 17 Sep 2013 17:44:44 +0000, FromTheRafters wrote: zulu.zscaler or wepawet would be a better choice Trying just http://zulu.zscaler first ... Given this original suspected URL: aochi dot hideo dot perso dot neuf dot fr slash 876569.php I pasted that into http://zulu.zscaler.com where the first problem I had was nothing worked, so I had to again turn off all my script blockers. Then, I tried to answer the zulu.zscaler "user agent" question. However, I have FirefoxESR 17.0.8 (RHEL6) which isn't one of the options, so I picked Firefox 8, which was the closest available. I didn't know what to put for the "Referrer" so I left it blank. The results for the primary URL came up as "5/100 (Benign)". a. This URL has been analyzed by Zulu in the past b. Analyzed on: 09/17/2013 at 18:33 GMT c. Redirections: greencoffee dash fat dash loss dot com/?20/12 (302 Moved Temporarily) d. IP Address: 86.65.123.70, Country: France e. Netblock size has size 511 Well, at least *that* site figured out there was a redirect involved, so, this is better than virustotal (which didn't figure that out). Then I repeated this with the secondary URL (the coffee page): greencoffee dash fat dash loss dot com ?20/12 That was red flagged as 100/100 Malicious IP Address: 46.249.59.209 located in the Netherlands a. Blacklisted in multiple real-time domain blocklists b. Blacklisted in multiple real-time domain blocklists c. Netblock size has size 255 d. IP address has been identified as risky by one/more sources So far, here's my observations: A. VirusTotal = not the best choice because it doesn't know about the redirect B. Zule.Scaler = a better choice because it at least tells you about the redirect C. I will try wepawet next VT should not have been suggested in the first place since it isn't what the OP asked for but is instead a file submission scanner. You are mistaken, FTR - VT fulfils BOTH functions! I see that now, thanks. |
#35
|
|||
|
|||
Freeware to test a specific web site php URL for malware?
On Tue, 17 Sep 2013 19:59:25 +0000, ~BD~ wrote:
I'm no expert, Jan, but I don't think Mac or Linux users need be too concerned if they had clicked on the link. Hi Dave, I always understood why a Windows PC is very vulnerable (mainly because there are no protections against root execution), but, you can still load a user-run virus onto Mac & Linux, can't you? This has always eluded me as to why virus writers don't write programs that drop into, say, your home directory, and which execute as the user. They could still log keystrokes, websites, take files that the user has permission for (which is most if not all their data files), etc. So, I just don't get how a Linux/Max user would be protected all that much more than a Windows user (other than root privileges). Can't a virus do damage executing as the current user? (Certainly I can do a "rm -r *" and that would be devastating to my data.) |
#36
|
|||
|
|||
Freeware to test a specific web site php URL for malware?
On Tue, 17 Sep 2013 22:23:46 +0000 (UTC)
jan wrote: On Tue, 17 Sep 2013 19:59:25 +0000, ~BD~ wrote: I'm no expert, Jan, but I don't think Mac or Linux users need be too concerned if they had clicked on the link. Hi Dave, I always understood why a Windows PC is very vulnerable (mainly because there are no protections against root execution), but, you can still load a user-run virus onto Mac & Linux, can't you? This has always eluded me as to why virus writers don't write programs that drop into, say, your home directory, and which execute as the user. They could still log keystrokes, websites, take files that the user has permission for (which is most if not all their data files), etc. So, I just don't get how a Linux/Max user would be protected all that much more than a Windows user (other than root privileges). Can't a virus do damage executing as the current user? (Certainly I can do a "rm -r *" and that would be devastating to my data.) They mostly only need root or admin tokens to obtain stealth and/or persistence. |
#37
|
|||
|
|||
Freeware to test a specific web site php URL for malware?
On 2013-09-17, FromTheRafters wrote:
On Tue, 17 Sep 2013 22:23:46 +0000 (UTC) jan wrote: On Tue, 17 Sep 2013 19:59:25 +0000, ~BD~ wrote: I'm no expert, Jan, but I don't think Mac or Linux users need be too concerned if they had clicked on the link. Hi Dave, I always understood why a Windows PC is very vulnerable (mainly because there are no protections against root execution), but, you can still load a user-run virus onto Mac & Linux, can't you? This has always eluded me as to why virus writers don't write programs that drop into, say, your home directory, and which execute as the user. They could still log keystrokes, websites, take files that the user has permission for (which is most if not all their data files), etc. So, I just don't get how a Linux/Max user would be protected all that much more than a Windows user (other than root privileges). Can't a virus do damage executing as the current user? (Certainly I can do a "rm -r *" and that would be devastating to my data.) They mostly only need root or admin tokens to obtain stealth and/or persistence. They don't need admin for persistence (eg: using @reboot in crontab) -- ⚂⚃ 100% natural --- news://freenews.netfront.net/ - complaints: --- |
#38
|
|||
|
|||
Freeware to test a specific web site php URL for malware?
On 19 Sep 2013 07:56:56 GMT
Jasen Betts wrote: On 2013-09-17, FromTheRafters wrote: On Tue, 17 Sep 2013 22:23:46 +0000 (UTC) jan wrote: On Tue, 17 Sep 2013 19:59:25 +0000, ~BD~ wrote: I'm no expert, Jan, but I don't think Mac or Linux users need be too concerned if they had clicked on the link. Hi Dave, I always understood why a Windows PC is very vulnerable (mainly because there are no protections against root execution), but, you can still load a user-run virus onto Mac & Linux, can't you? This has always eluded me as to why virus writers don't write programs that drop into, say, your home directory, and which execute as the user. They could still log keystrokes, websites, take files that the user has permission for (which is most if not all their data files), etc. So, I just don't get how a Linux/Max user would be protected all that much more than a Windows user (other than root privileges). Can't a virus do damage executing as the current user? (Certainly I can do a "rm -r *" and that would be devastating to my data.) They mostly only need root or admin tokens to obtain stealth and/or persistence. They don't need admin for persistence (eg: using @reboot in crontab) Also they don't need admin if they get restarted by infecting a program with code to restart the rest of the program, or if they are viral in nature. |
#39
|
|||
|
|||
Freeware to test a specific web site php URL for malware?
FromTheRafters wrote:
Does VT follow links? What did they think of hxxp://aochi.hideo.perso.neuf.fr/js/jquery-1.8.2.min.js C:\Users\Grahamwget http://aochi.hideo.perso.neuf.fr/js/jquery-1.8.2.min.js --2013-09-20 17:07:03-- http://aochi.hideo.perso.neuf.fr/js/jquery-1.8.2.min.js Resolving aochi.hideo.perso.neuf.fr... 86.65.123.70 Connecting to aochi.hideo.perso.neuf.fr|86.65.123.70|:80... connected. HTTP request sent, awaiting response... 404 Not Found 2013-09-20 17:07:05 ERROR 404: Not Found. -- They who can give up essential liberty to obtain a little temporary safety, deserve neither liberty nor safety. - Ben Franklin |
#40
|
|||
|
|||
Freeware to test a specific web site php URL for malware?
On Fri, 20 Sep 2013 17:08:26 -0500
G. Morgan wrote: FromTheRafters wrote: Does VT follow links? What did they think of hxxp://aochi.hideo.perso.neuf.fr/js/jquery-1.8.2.min.js C:\Users\Grahamwget http://aochi.hideo.perso.neuf.fr/js/jquery-1.8.2.min.js --2013-09-20 17:07:03-- http://aochi.hideo.perso.neuf.fr/js/jquery-1.8.2.min.js Resolving aochi.hideo.perso.neuf.fr... 86.65.123.70 Connecting to aochi.hideo.perso.neuf.fr|86.65.123.70|:80... connected. HTTP request sent, awaiting response... 404 Not Found 2013-09-20 17:07:05 ERROR 404: Not Found. Limited time offer I guess. It had some mildly obfuscated JS and other links to follow with "random" data appended to the passed values. I didn't have the time, nor the programs I need to follow it further. I'm pretty sure it was just an advertisement scam. It looks like Google added their website reputation thing to VT, so I was just wondering what they/it thought of the JS page. |
Thread Tools | |
Display Modes | Rate This Thread |
|
|