Malware problem

Discussion in 'malware problems & news' started by Rico, Oct 6, 2016.

  1. Rico

    Rico Registered Member

    Joined:
    Aug 19, 2004
    Posts:
    1,699
    Location:
    Texas
    Do I have something on my machine, or is KIS finding this on some website? I've done a bunch of scans (kis, Mbam, SAS, ADW), I always choose 'disconnect' Example... 2016-10-06_7-49-32.jpg
    Thanks
     
  2. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    2,969
    Location:
    U.S.A.
    What Kaspersky is warning you about is that there is a problem with the web site's SSL certificate. Before I get into that, a few tests.

    Zulu, Sucuri, and VirusTotal all say the web site is clean. When I tried to access the web site in IE11, the first thing the site attempted to do is download something. This was before the web page was displayed. Never saw that one before. For that reason alone, I would stay away.

    As far as Kapersky's cert. warning, I could not verify same using Eset since I terminated the access to the web site after the attempted download.

    My theory on this is the web site is compromised and a redirect is occurring. However, Eset didn't detect the drive-by download so not really sure this is the case.
     
  3. Rico

    Rico Registered Member

    Joined:
    Aug 19, 2004
    Posts:
    1,699
    Location:
    Texas
    Thanks! itman

    Note I was not on the above site when KIS msg occurred, so something from the site I was on tried to re-direct. So first check the machine for malware (none), then curious these are the same sites visited regularly, where KIS sounds the warning. uBlock Origin stays quite, or allows, so dif vendors, disagree, still I do not like the fact that a dl started when you visited. Anytime this happens in the future, I'll choose 'disconnect'

    Rico
     
  4. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    2,969
    Location:
    U.S.A.
    The web site you were on must have had a HTTPS link to the maxcd.bootstrapcdn web site.
     
  5. zapjb

    zapjb Registered Member

    Joined:
    Nov 15, 2005
    Posts:
    3,518
    Location:
    USA - Back in a real State in time for a real Pres
    @itman is that a porn site?
     
  6. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    5,061
  7. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    1,172
    the downloaded file is zero bytes and scans ok on VT
     
  8. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    2,969
    Location:
    U.S.A.
    I checked out the cert. both at Quals and at NetWorking4All. Quals gave it an A-. Below are details from the NetWorking4All scan:

    The SSL Certificate for *.bootstrapcdn.com is signed by GlobalSign Domain Validation CA - SHA256 - G2 wich is signed by GlobalSign Root CA wich is signed by GlobalSign Root CA . The SSL Certificate will expire on Monday 10 June 2019 this means it is still valid for 974 days.

    This SSL Certificate has 2 subject alternative name(s). This means that this SSL Certificate is not only valid for *.bootstrapcdn.com but in this case also for the alternative names *.bootstrapcdn.com, bootstrapcdn.com

    There are no organisation details listed in this SSL Certificate. This certificate is validated by contacting the domain administrator through e-mail only, no validation on the identity of the owner has taken place.


    Ref.: https://www.networking4all.com/en/support/tools/site+check/report/?fqdn=maxcdn.bootstrapcdn.com https://www.networking4all.com/en/support/tools/site+check/report/?fqdn=maxcdn.bootstrapcdn.com
    I believe what Kaspersky is complaining about is the "*" in the cert. subject name. Use of "*" should only be used for alternates and I believe that use is being deprecated.

    Appears to me was the source web site in question should not have been using a reference to this URL since as noted, the cert. is for content delivery network servers.
     
  9. liba

    liba Registered Member

    Joined:
    Jan 21, 2016
    Posts:
    76
    scan with roguekiller

    x32
    http://download.adlice.com/RogueKiller/RogueKiller.exe

    x64
    http://download.adlice.com/RogueKiller/RogueKillerX64.exe
     
  10. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    2,969
    Location:
    U.S.A.
Loading...