Hi I thought to share this, but I am not 100% sure since I relied purely on AV advice, I haven't done any reverse engineering I went on the web for research (was looking for some articles on security) and as soon as I entered this website I got a kryptic B warning from AV (google has tried to access a file Kryptic.B) apparently it is a trojan (judging by the name and some logs I found over the Internet a banking trojan), I did nothing on the site (no clicking links) just went inside it here is the site (maybe someone knows it and its a false positive? however don't go there if you don't trust this site): https://dissectmalware.wordpress.com/2018/04/12/sophisticated-mutli-stage-malware-hosted-on-pussyhunter-ru/ found this ip https://www.abuseipdb.com/check/192.0.78.13 I'm on a VM but not sure about my network now (dang)
Is this the link that is suppose to be infected? I'm not seeing anything. I'm using Eset Antivirus and it did not detect anything. Also, VirusTotal results come back clean, but that doesn't mean there is not malware on the page. Maybe it just isn't being detected yet. hxxps://dissectmalware.wordpress.com/2018/04/12/sophisticated-mutli-stage-malware-hosted-on-pussyhunter-ru/ Also, Hackers put up and take down their malware to try to stay under the radar. Also, malware does not always attempt to execute depending on what browser, plugins, and OS you are using. It was on FireHOL Level 3 blocklist though. I had to disable my blocklist in order to visit the page. If it proves to be infected I will add to my own personal blocklist also.
same and google canary no plugins, did you have HTTPS scanner on , I might have stopped it on network level I was attacked twice (need still to check IDS logs in router, I noticed "they" attack routers simultaneously now on other sites at least, its'a trend) did scans with sucuri, norton and virus total, I always do before entering but it resulted clean I went to FireHOL Level 3, nice list thanks
Eset 12.1.34 didn't detect anything. What I suspect happened was the website posted some analyzed malware code in HTML rather than posting it in a .jpg, .png, etc. I have had Eset previously trigger on HTML code in a web page. Appears site was informed and modified the display of the malware code.
No problem. Yeah, I like FireHOL, it is a great service. I'm very grateful for the work the site owner has contributed in making a centralized source available for most blocklist on the internet. I also maintain a private blocklist comparable with FireHOL Level 3. I'm not sure how much longer I can maintain it though because of the massive amount of work it has become to keep it up to date. I haven't given up yet though. Btw.. it's pretty common for infected websites to be disinfected fairly fast. The problem is I see them very often become infected again just as fast. It could have already been taken down, or made dormant by the hacker. WordPress is one of the worst platforms on the internet to make secure. I usually see more WordPress infections than any other web platform on the net.
@itman so you mean this site is the same principle, it also has code shown in plain sight and detects MSIL, again no detection from Virus total and Sucuri https://0x00-0x00.github.io/research/2018/10/28/How-to-bypass-AMSI-and-Execute-ANY-malicious-powershell-code.html so basically most research/reverse engineer sites I will go will receive a virus warning, interesting, need to change hobby you know what I found a better way, right click on url and save webpage to pdf thats better than visiting an unknown site to get some basic education on defense
Yes. A site I always get Eset alerts on is Cisco's Talos research blog web site. The site often times shows the malware code in HTML versus taking a screen shot of it and posting that.
