Freeware to test a specific web site php URL for malware?

On Tue, 17 Sep 2013 15:12:23 +0000, FromTheRafters wrote:

So, what's the verdict?

The results are weird.

If you paste the original URL into the virustotal site, it
comes back as clean.

However, if you then physically GO to the original URL, you
find that the php script re-directs you to a secondary URL.

If you then paste that secondary URL into the virustotal site,
it comes back as dealing with malware.

Is it just me or does something seem wrong with this sequence?

Do I actually have to *visit* the site in order to find the URL
in order to give virustotal that URL so that it can tell me that
I shouldn't have visited the site after all?

Or, did I do something wrong?

On Tue, 17 Sep 2013 16:49:44 +0000, ~BD~ wrote:

Detection ratio 3/39
Can you not see that at my link?

Hi Dave,
I did visit your link, and I ran the test myself, which
showed the following:

a. BitDefender Malware site
b. Sophos Malicious site
c. Websense ThreatSeeker Malicious site
d. CLEAN MX Suspicious site

But, I'm not sure what that means, to me, and I'm definitely
unclear what to tell my siblings who had clicked on the link.

What does this mean, to a Mac/Windows/Linux user?

On Tue, 17 Sep 2013 17:44:44 +0000, FromTheRafters wrote:

The obfuscation is to hide its spamminess not its maliciousness.

This makes sense because the original URL looked like it was
constructed probably so that it could be easily changed to appear
unique to the AOL spam filters (the hacked address was an AOL address).

The original address ended with PHP, so, my guess is that it was
a script, that pointed the user to the final destination (which
was the coffee-bean web page).

The VT results are worthless...
I have to tend to agree (for the most part) with you, because
the virustotal scanner said the initial URL was clean; but, if
we went to the trouble of actually *visiting* the initial URL,
it redirects us to the secondary url, which virustotal finds
has 4 malware red flags.

So, VT "worked" but only *after* I was forced to visit the site
(Yes, I know BD visited it for me - but - really - shouldn't
the VT scanner have been more intelligent (and not give a false
negative result)?

I'll try those other two sites now, and report back.

On Tue, 17 Sep 2013 17:44:44 +0000, FromTheRafters wrote:

zulu.zscaler or wepawet would be a better choice

Trying just http://zulu.zscaler first ...

Given this original suspected URL:
aochi dot hideo dot perso dot neuf dot fr slash 876569.php
I pasted that into http://zulu.zscaler.com where the first
problem I had was nothing worked, so I had to again turn off
all my script blockers.

Then, I tried to answer the zulu.zscaler "user agent" question.
However, I have FirefoxESR 17.0.8 (RHEL6) which isn't one of the
options, so I picked Firefox 8, which was the closest available.

I didn't know what to put for the "Referrer" so I left it blank.

The results for the primary URL came up as "5/100 (Benign)".
a. This URL has been analyzed by Zulu in the past
b. Analyzed on: 09/17/2013 at 18:33 GMT
c. Redirections: greencoffee dash fat dash loss dot com/?20/12 (302 Moved Temporarily)
d. IP Address: 86.65.123.70, Country: France
e. Netblock size has size 511

Well, at least *that* site figured out there was a redirect involved,
so, this is better than virustotal (which didn't figure that out).

Then I repeated this with the secondary URL (the coffee page):
greencoffee dash fat dash loss dot com ?20/12
That was red flagged as 100/100 Malicious
IP Address: 46.249.59.209 located in the Netherlands
a. Blacklisted in multiple real-time domain blocklists
b. Blacklisted in multiple real-time domain blocklists
c. Netblock size has size 255
d. IP address has been identified as risky by one/more sources

So far, here's my observations:
A. VirusTotal = not the best choice because it doesn't know about the redirect
B. Zule.Scaler = a better choice because it at least tells you about the redirect
C. I will try wepawet next

On Tue, 17 Sep 2013 17:19:50 +0000, ~BD~ wrote:

It *may* mean that most AV companies are slow off the blocks ..... OR that
the detections found are 'false positives'.

Does this help you?

As the OP, I'm thankful you guys provided at least three web
based malware scan sites which purport to analyze a URL.

1. https://www.virustotal.com/en-gb/
2. http://zulu.zscaler.com
3. http://wepawet.iseclab.org

Paradoxically, the VirusTotal seemed to give the most information,
but, only after actually visiting the primary link in order to obtain
the secondary link, which was reported as malware (mostly based on
blacklists it seemed).

The next two, Zulu and wepawet at least figured out there was a
redirect. Zulu.Zscaler clearly flagged the secondary URL as
malicious, while WepaWet deemed it only suspicious.

So, clearly these are sites you don't want to visit, but, I'm not
quite so sure whether malware is actually involved or just spamming.

On Tue, 17 Sep 2013 19:01:27 +0100, p-0''0-h the cat (ES) wrote:

aochi dot hideo dot perso dot neuf dot fr/js/jquery-1.8.2.min.js
comes up clean, but if you click on Go to downloaded file analysis
the file is called keygen.exe

I'm not sure how you found that javascript URL as it didn't show up
for me.

But, I don't know anything about javascript, so, I might easily
have missed a clue that you picked up somewhere in the analysis.

I didn't see anything called "keygen"; but I too would be a bit
sensitive about a file named that!

On Tue, 17 Sep 2013 17:28:00 +0000, FromTheRafters wrote:

Does VT follow links? What did they think of
aochi dot hideo dot perso dot neuf dot fr/js/jquery-1.8.2.min.js

I don't know if VirusTotal "follows" links, but, I can say that
VirusTotal did *not* pick up the fact that the original php
script caused a redirect (whereas the other two suggested URL
scanners *did* notice the redirect going on).

Plugging that "js" link above into:
https://www.virustotal.com/en-gb/#url
I get:
URL already analysed
This URL was already analysed by VirusTotal on 2013-09-17 17:55:01 UTC.
Detection ratio: 0/39
You can take a look at the last analysis or analyse it again now.

Results he
https://www.virustotal.com/en-gb/url...9a86/analysis/

On Tue, 17 Sep 2013 09:52:06 -0700, Mike Easter wrote:

The report at your earlier link was a report on the redirected coffee bean
site, not the URL posted site.

I'm a bit confused, but, here's what I found out about redirect detection.

Tested primary URL on these four sites:
1. https://www.virustotal.com/en-gb/

2. http://zulu.zscaler.com

3. http://wepawet.iseclab.org

4. http://www.google.com/safebrowsing/d.../path/file.htm

RESULTS:
1. Virustotal did not detect the redirect

2. Zulu.Zscaler did detect the redirect

3. Wepawet.IsecLab did detect the redirect

4. Google Safebrowsing Diagnostics did not detect the redirect

The problem with the sites that fail to detect the redirect is that the
user is forced to actually *go* to the redirected site to find out about
it (which, by then, could be too late).

On Tue, 17 Sep 2013 14:38:30 +0000, FromTheRafters wrote:

Wepawet and zscaler come to mind. There are others as well, none of them
are perfect of course.

Clearly none are perfect!
Some said the two sites (primary and secondary) were clean.
Others said they contained malware.

Here are the four suggested sites, to date, to use to test URLs:

1. https://www.virustotal.com/en-gb/

2. http://zulu.zscaler.com

3. http://wepawet.iseclab.org

4. http://google.com/safebrowsing/diagn.../path/file.htm

On Tue, 17 Sep 2013 19:44:39 +0000, jan wrote:

VirusTotal results were problematic because it didn't
tell you that the primary URL redirected you to a secondary URL.
Neither did the Google diagnostic scan.
Luckily, the other two did.

Given that, how does this look for our recommended
Windows/Linux/Mac freeware sites to bookmark for
future scanning of suspect URLs?

(In priority order):
1. http://zulu.zscaler.com

2. http://wepawet.iseclab.org

3. https://www.virustotal.com/en-gb/#url

4. http://google.com/safebrowsing/diagn.../path/file.htm

jan wrote:
Is there a way to test a website for malware without going to it?

Recently a family member had their mail account hijacked where an email
was sent to all their contacts, including me, and it contained a link to
the web site below:

http colon slash slash aochi dot hideo dot perso dot neuf dot fr slash
876569 dot php

Some of the family members actually clicked on the link, and found it to
be a green-coffee bean advertisement, and then they asked *me* if it
contained a virus. (The Mac & Windows users asked, not the Linux users.)

I knew enough not to click on the site but now I need to know *how* to
tell if the site contains malware.

Is there freeware I can hand this URL to that will check it out for
malware payloads?

That 'Green coffee bean' ad has been floating around for some time
across a bevy of different isp email addresses.

Not all originate from the senders email address, some with forged
headers, some from harvesting addresses from one of the faked sender's
contacts (i.e. the sender may not be compromised but one of their
contacts)...the list goes on.



--
...winston
msft mvp consumer apps

jan wrote:
Newsgroups: alt.comp.freeware,alt.os.linux,alt.windows7.genera l

Do not crosspost to any groups you aren't subscribed. I suspect that you
might not be subscribed/reading alt.comp.freeware.

--
Mike Easter

f/ups to a.c.f only

jan wrote:
Mike Easter wrote:

The report at your earlier link was a report on the redirected coffee bean
site, not the URL posted site.

I'm a bit confused, but, here's what I found out about redirect detection.

Tested primary URL on these four sites:
1. https://www.virustotal.com/en-gb/

2. http://zulu.zscaler.com

3. http://wepawet.iseclab.org

4. http://www.google.com/safebrowsing/d.../path/file.htm

RESULTS:
1. Virustotal did not detect the redirect

2. Zulu.Zscaler did detect the redirect

3. Wepawet.IsecLab did detect the redirect

4. Google Safebrowsing Diagnostics did not detect the redirect

The problem with the sites that fail to detect the redirect is that the
user is forced to actually *go* to the redirected site to find out about
it (which, by then, could be too late).

It is not necessary to 'go to' a site (with a loose browser) to
determine the redirected site.

There are tools like websniffer or even samspade's or other access to wget.


--
Mike Easter

On Tue, 17 Sep 2013 18:50:08 +0000 (UTC)
jan wrote:

On Tue, 17 Sep 2013 17:44:44 +0000, FromTheRafters wrote:

zulu.zscaler or wepawet would be a better choice

Trying just http://zulu.zscaler first ...

Given this original suspected URL:
aochi dot hideo dot perso dot neuf dot fr slash 876569.php
I pasted that into http://zulu.zscaler.com where the first
problem I had was nothing worked, so I had to again turn off
all my script blockers.

Then, I tried to answer the zulu.zscaler "user agent" question.
However, I have FirefoxESR 17.0.8 (RHEL6) which isn't one of the
options, so I picked Firefox 8, which was the closest available.

I didn't know what to put for the "Referrer" so I left it blank.

The results for the primary URL came up as "5/100 (Benign)".
a. This URL has been analyzed by Zulu in the past
b. Analyzed on: 09/17/2013 at 18:33 GMT
c. Redirections: greencoffee dash fat dash loss dot com/?20/12 (302 Moved Temporarily)
d. IP Address: 86.65.123.70, Country: France
e. Netblock size has size 511

Well, at least *that* site figured out there was a redirect involved,
so, this is better than virustotal (which didn't figure that out).

Then I repeated this with the secondary URL (the coffee page):
greencoffee dash fat dash loss dot com ?20/12
That was red flagged as 100/100 Malicious
IP Address: 46.249.59.209 located in the Netherlands
a. Blacklisted in multiple real-time domain blocklists
b. Blacklisted in multiple real-time domain blocklists
c. Netblock size has size 255
d. IP address has been identified as risky by one/more sources

So far, here's my observations:
A. VirusTotal = not the best choice because it doesn't know about the redirect
B. Zule.Scaler = a better choice because it at least tells you about the redirect
C. I will try wepawet next

VT should not have been suggested in the first place since it isn't
what the OP asked for but is instead a file submission scanner.

On Tue, 17 Sep 2013 19:35:33 +0000 (UTC)
jan wrote:

On Tue, 17 Sep 2013 14:38:30 +0000, FromTheRafters wrote:

Wepawet and zscaler come to mind. There are others as well, none of them
are perfect of course.

Clearly none are perfect!
Some said the two sites (primary and secondary) were clean.
Others said they contained malware.

Here are the four suggested sites, to date, to use to test URLs:

1. https://www.virustotal.com/en-gb/

2. http://zulu.zscaler.com

3. http://wepawet.iseclab.org

4. http://google.com/safebrowsing/diagn.../path/file.htm

As you have no doubt learned, some interpreting of results will often be
needed. I have sent URL's known to be BlackHole Exploit Kit built
landing pages and they have been reported as benign or sometimes
suspicious when it is known (to me) that it is indeed malicious. They
explained to me that the scanner looks for 'exploit code' or
'shellcode' to be in the URL's content - if it doesn't find any, it
doesn't tag it as malicious. It can however tag it as suspicious if it
looks too much like another that *is* malicious.

To me, redirects are not malicious in and of themselves so it is not
surprising that a file scanner doesn't report it as malware. I don't
think that VT even follows links that aren't obfuscated let alone ones
that are - and is not the tool that you asked for. If you dig out (or
get a final 'malicious' file from a sandbox) the target malware file
you can use a file submission service to get more data about the file.

jotti.org
virustotal.com
virscan.org

are file submission scanners.