If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. |
|
|
Thread Tools | Rating: | Display Modes |
#16
|
|||
|
|||
Freeware to test a specific web site php URL for malware?
On Tue, 17 Sep 2013 15:12:23 +0000, FromTheRafters wrote:
So, what's the verdict? The results are weird. If you paste the original URL into the virustotal site, it comes back as clean. However, if you then physically GO to the original URL, you find that the php script re-directs you to a secondary URL. If you then paste that secondary URL into the virustotal site, it comes back as dealing with malware. Is it just me or does something seem wrong with this sequence? Do I actually have to *visit* the site in order to find the URL in order to give virustotal that URL so that it can tell me that I shouldn't have visited the site after all? Or, did I do something wrong? |
Ads |
#17
|
|||
|
|||
Freeware to test a specific web site php URL for malware?
On Tue, 17 Sep 2013 16:49:44 +0000, ~BD~ wrote:
Detection ratio 3/39 Can you not see that at my link? Hi Dave, I did visit your link, and I ran the test myself, which showed the following: a. BitDefender Malware site b. Sophos Malicious site c. Websense ThreatSeeker Malicious site d. CLEAN MX Suspicious site But, I'm not sure what that means, to me, and I'm definitely unclear what to tell my siblings who had clicked on the link. What does this mean, to a Mac/Windows/Linux user? |
#18
|
|||
|
|||
Freeware to test a specific web site php URL for malware?
On Tue, 17 Sep 2013 17:44:44 +0000, FromTheRafters wrote:
The obfuscation is to hide its spamminess not its maliciousness. This makes sense because the original URL looked like it was constructed probably so that it could be easily changed to appear unique to the AOL spam filters (the hacked address was an AOL address). The original address ended with PHP, so, my guess is that it was a script, that pointed the user to the final destination (which was the coffee-bean web page). The VT results are worthless... I have to tend to agree (for the most part) with you, because the virustotal scanner said the initial URL was clean; but, if we went to the trouble of actually *visiting* the initial URL, it redirects us to the secondary url, which virustotal finds has 4 malware red flags. So, VT "worked" but only *after* I was forced to visit the site (Yes, I know BD visited it for me - but - really - shouldn't the VT scanner have been more intelligent (and not give a false negative result)? I'll try those other two sites now, and report back. |
#19
|
|||
|
|||
Freeware to test a specific web site php URL for malware?
On Tue, 17 Sep 2013 17:44:44 +0000, FromTheRafters wrote:
zulu.zscaler or wepawet would be a better choice Trying just http://zulu.zscaler first ... Given this original suspected URL: aochi dot hideo dot perso dot neuf dot fr slash 876569.php I pasted that into http://zulu.zscaler.com where the first problem I had was nothing worked, so I had to again turn off all my script blockers. Then, I tried to answer the zulu.zscaler "user agent" question. However, I have FirefoxESR 17.0.8 (RHEL6) which isn't one of the options, so I picked Firefox 8, which was the closest available. I didn't know what to put for the "Referrer" so I left it blank. The results for the primary URL came up as "5/100 (Benign)". a. This URL has been analyzed by Zulu in the past b. Analyzed on: 09/17/2013 at 18:33 GMT c. Redirections: greencoffee dash fat dash loss dot com/?20/12 (302 Moved Temporarily) d. IP Address: 86.65.123.70, Country: France e. Netblock size has size 511 Well, at least *that* site figured out there was a redirect involved, so, this is better than virustotal (which didn't figure that out). Then I repeated this with the secondary URL (the coffee page): greencoffee dash fat dash loss dot com ?20/12 That was red flagged as 100/100 Malicious IP Address: 46.249.59.209 located in the Netherlands a. Blacklisted in multiple real-time domain blocklists b. Blacklisted in multiple real-time domain blocklists c. Netblock size has size 255 d. IP address has been identified as risky by one/more sources So far, here's my observations: A. VirusTotal = not the best choice because it doesn't know about the redirect B. Zule.Scaler = a better choice because it at least tells you about the redirect C. I will try wepawet next |
#20
|
|||
|
|||
Freeware to test a specific web site php URL for malware?
On Tue, 17 Sep 2013 17:19:50 +0000, ~BD~ wrote:
It *may* mean that most AV companies are slow off the blocks ..... OR that the detections found are 'false positives'. Does this help you? As the OP, I'm thankful you guys provided at least three web based malware scan sites which purport to analyze a URL. 1. https://www.virustotal.com/en-gb/ 2. http://zulu.zscaler.com 3. http://wepawet.iseclab.org Paradoxically, the VirusTotal seemed to give the most information, but, only after actually visiting the primary link in order to obtain the secondary link, which was reported as malware (mostly based on blacklists it seemed). The next two, Zulu and wepawet at least figured out there was a redirect. Zulu.Zscaler clearly flagged the secondary URL as malicious, while WepaWet deemed it only suspicious. So, clearly these are sites you don't want to visit, but, I'm not quite so sure whether malware is actually involved or just spamming. |
#21
|
|||
|
|||
Freeware to test a specific web site php URL for malware?
On Tue, 17 Sep 2013 19:01:27 +0100, p-0''0-h the cat (ES) wrote:
aochi dot hideo dot perso dot neuf dot fr/js/jquery-1.8.2.min.js comes up clean, but if you click on Go to downloaded file analysis the file is called keygen.exe I'm not sure how you found that javascript URL as it didn't show up for me. But, I don't know anything about javascript, so, I might easily have missed a clue that you picked up somewhere in the analysis. I didn't see anything called "keygen"; but I too would be a bit sensitive about a file named that! |
#22
|
|||
|
|||
Freeware to test a specific web site php URL for malware?
On Tue, 17 Sep 2013 17:28:00 +0000, FromTheRafters wrote:
Does VT follow links? What did they think of aochi dot hideo dot perso dot neuf dot fr/js/jquery-1.8.2.min.js I don't know if VirusTotal "follows" links, but, I can say that VirusTotal did *not* pick up the fact that the original php script caused a redirect (whereas the other two suggested URL scanners *did* notice the redirect going on). Plugging that "js" link above into: https://www.virustotal.com/en-gb/#url I get: URL already analysed This URL was already analysed by VirusTotal on 2013-09-17 17:55:01 UTC. Detection ratio: 0/39 You can take a look at the last analysis or analyse it again now. Results he https://www.virustotal.com/en-gb/url...9a86/analysis/ |
#23
|
|||
|
|||
Freeware to test a specific web site php URL for malware?
On Tue, 17 Sep 2013 09:52:06 -0700, Mike Easter wrote:
The report at your earlier link was a report on the redirected coffee bean site, not the URL posted site. I'm a bit confused, but, here's what I found out about redirect detection. Tested primary URL on these four sites: 1. https://www.virustotal.com/en-gb/ 2. http://zulu.zscaler.com 3. http://wepawet.iseclab.org 4. http://www.google.com/safebrowsing/d.../path/file.htm RESULTS: 1. Virustotal did not detect the redirect 2. Zulu.Zscaler did detect the redirect 3. Wepawet.IsecLab did detect the redirect 4. Google Safebrowsing Diagnostics did not detect the redirect The problem with the sites that fail to detect the redirect is that the user is forced to actually *go* to the redirected site to find out about it (which, by then, could be too late). |
#24
|
|||
|
|||
Freeware to test a specific web site php URL for malware?
On Tue, 17 Sep 2013 14:38:30 +0000, FromTheRafters wrote:
Wepawet and zscaler come to mind. There are others as well, none of them are perfect of course. Clearly none are perfect! Some said the two sites (primary and secondary) were clean. Others said they contained malware. Here are the four suggested sites, to date, to use to test URLs: 1. https://www.virustotal.com/en-gb/ 2. http://zulu.zscaler.com 3. http://wepawet.iseclab.org 4. http://google.com/safebrowsing/diagn.../path/file.htm |
#25
|
|||
|
|||
Freeware to test a specific web site php URL for malware?
On Tue, 17 Sep 2013 19:44:39 +0000, jan wrote:
VirusTotal results were problematic because it didn't tell you that the primary URL redirected you to a secondary URL. Neither did the Google diagnostic scan. Luckily, the other two did. Given that, how does this look for our recommended Windows/Linux/Mac freeware sites to bookmark for future scanning of suspect URLs? (In priority order): 1. http://zulu.zscaler.com 2. http://wepawet.iseclab.org 3. https://www.virustotal.com/en-gb/#url 4. http://google.com/safebrowsing/diagn.../path/file.htm |
#26
|
|||
|
|||
Freeware to test a specific web site php URL for malware?
jan wrote:
Is there a way to test a website for malware without going to it? Recently a family member had their mail account hijacked where an email was sent to all their contacts, including me, and it contained a link to the web site below: http colon slash slash aochi dot hideo dot perso dot neuf dot fr slash 876569 dot php Some of the family members actually clicked on the link, and found it to be a green-coffee bean advertisement, and then they asked *me* if it contained a virus. (The Mac & Windows users asked, not the Linux users.) I knew enough not to click on the site but now I need to know *how* to tell if the site contains malware. Is there freeware I can hand this URL to that will check it out for malware payloads? That 'Green coffee bean' ad has been floating around for some time across a bevy of different isp email addresses. Not all originate from the senders email address, some with forged headers, some from harvesting addresses from one of the faked sender's contacts (i.e. the sender may not be compromised but one of their contacts)...the list goes on. -- ...winston msft mvp consumer apps |
#27
|
|||
|
|||
Freeware to test a specific web site php URL for malware?
jan wrote:
Newsgroups: alt.comp.freeware,alt.os.linux,alt.windows7.genera l Do not crosspost to any groups you aren't subscribed. I suspect that you might not be subscribed/reading alt.comp.freeware. -- Mike Easter |
#28
|
|||
|
|||
Freeware to test a specific web site php URL for malware?
f/ups to a.c.f only
jan wrote: Mike Easter wrote: The report at your earlier link was a report on the redirected coffee bean site, not the URL posted site. I'm a bit confused, but, here's what I found out about redirect detection. Tested primary URL on these four sites: 1. https://www.virustotal.com/en-gb/ 2. http://zulu.zscaler.com 3. http://wepawet.iseclab.org 4. http://www.google.com/safebrowsing/d.../path/file.htm RESULTS: 1. Virustotal did not detect the redirect 2. Zulu.Zscaler did detect the redirect 3. Wepawet.IsecLab did detect the redirect 4. Google Safebrowsing Diagnostics did not detect the redirect The problem with the sites that fail to detect the redirect is that the user is forced to actually *go* to the redirected site to find out about it (which, by then, could be too late). It is not necessary to 'go to' a site (with a loose browser) to determine the redirected site. There are tools like websniffer or even samspade's or other access to wget. -- Mike Easter |
#29
|
|||
|
|||
Freeware to test a specific web site php URL for malware?
On Tue, 17 Sep 2013 18:50:08 +0000 (UTC)
jan wrote: On Tue, 17 Sep 2013 17:44:44 +0000, FromTheRafters wrote: zulu.zscaler or wepawet would be a better choice Trying just http://zulu.zscaler first ... Given this original suspected URL: aochi dot hideo dot perso dot neuf dot fr slash 876569.php I pasted that into http://zulu.zscaler.com where the first problem I had was nothing worked, so I had to again turn off all my script blockers. Then, I tried to answer the zulu.zscaler "user agent" question. However, I have FirefoxESR 17.0.8 (RHEL6) which isn't one of the options, so I picked Firefox 8, which was the closest available. I didn't know what to put for the "Referrer" so I left it blank. The results for the primary URL came up as "5/100 (Benign)". a. This URL has been analyzed by Zulu in the past b. Analyzed on: 09/17/2013 at 18:33 GMT c. Redirections: greencoffee dash fat dash loss dot com/?20/12 (302 Moved Temporarily) d. IP Address: 86.65.123.70, Country: France e. Netblock size has size 511 Well, at least *that* site figured out there was a redirect involved, so, this is better than virustotal (which didn't figure that out). Then I repeated this with the secondary URL (the coffee page): greencoffee dash fat dash loss dot com ?20/12 That was red flagged as 100/100 Malicious IP Address: 46.249.59.209 located in the Netherlands a. Blacklisted in multiple real-time domain blocklists b. Blacklisted in multiple real-time domain blocklists c. Netblock size has size 255 d. IP address has been identified as risky by one/more sources So far, here's my observations: A. VirusTotal = not the best choice because it doesn't know about the redirect B. Zule.Scaler = a better choice because it at least tells you about the redirect C. I will try wepawet next VT should not have been suggested in the first place since it isn't what the OP asked for but is instead a file submission scanner. |
#30
|
|||
|
|||
Freeware to test a specific web site php URL for malware?
On Tue, 17 Sep 2013 19:35:33 +0000 (UTC)
jan wrote: On Tue, 17 Sep 2013 14:38:30 +0000, FromTheRafters wrote: Wepawet and zscaler come to mind. There are others as well, none of them are perfect of course. Clearly none are perfect! Some said the two sites (primary and secondary) were clean. Others said they contained malware. Here are the four suggested sites, to date, to use to test URLs: 1. https://www.virustotal.com/en-gb/ 2. http://zulu.zscaler.com 3. http://wepawet.iseclab.org 4. http://google.com/safebrowsing/diagn.../path/file.htm As you have no doubt learned, some interpreting of results will often be needed. I have sent URL's known to be BlackHole Exploit Kit built landing pages and they have been reported as benign or sometimes suspicious when it is known (to me) that it is indeed malicious. They explained to me that the scanner looks for 'exploit code' or 'shellcode' to be in the URL's content - if it doesn't find any, it doesn't tag it as malicious. It can however tag it as suspicious if it looks too much like another that *is* malicious. To me, redirects are not malicious in and of themselves so it is not surprising that a file scanner doesn't report it as malware. I don't think that VT even follows links that aren't obfuscated let alone ones that are - and is not the tool that you asked for. If you dig out (or get a final 'malicious' file from a sandbox) the target malware file you can use a file submission service to get more data about the file. jotti.org virustotal.com virscan.org are file submission scanners. |
Thread Tools | |
Display Modes | Rate This Thread |
|
|