Nearly caught out! Mamutu saves the day.

Discussion in 'other anti-malware software' started by Tarnak, Apr 10, 2009.

Thread Status:
Not open for further replies.
  1. Tarnak

    Tarnak Registered Member

    Joined:
    Feb 5, 2007
    Posts:
    3,875

    Attached Files:

  2. raven211

    raven211 Registered Member

    Joined:
    May 4, 2005
    Posts:
    2,567
    Didn't stay on the page terribly long. Saw the whole page and my mouse was an hourglass, but no alert from Avira, TF or Prevx. Are you sure it's not an FP? Has happened with Emsisoft before according to many users...
     
  3. Tarnak

    Tarnak Registered Member

    Joined:
    Feb 5, 2007
    Posts:
    3,875
    That is why I am asking......I am not sure if it is a FP!

    Just throwing it out there to the experts....if they want to investigate.;)
     
  4. raven211

    raven211 Registered Member

    Joined:
    May 4, 2005
    Posts:
    2,567
    Oh, didn't understand you where asking first. :p Well, I certainly think it's an FP as I've tested going to the page myself with a great layered setup and no alerts thrown up at all.
     
  5. JRViejo

    JRViejo Global Moderator

    Joined:
    Jul 9, 2008
    Posts:
    20,950
    Location:
    U.S.A.
    Tarnak, the Host Name that's shown inside your alert, Web of Trust warns that the site has a poor reputation. Carbuyingtips.com does not as far as WOT is concerned.
     
  6. SIR****TMG

    SIR****TMG Registered Member

    Joined:
    May 31, 2004
    Posts:
    757
    I get nothing
     
  7. Tarnak

    Tarnak Registered Member

    Joined:
    Feb 5, 2007
    Posts:
    3,875
    Not sure what all this means, but I have [urlXXX.TQLKG.COM[/url] blocked in A-Squared, Malware IDS : host rules for the time being. No biggie!:)
     
  8. Saraceno

    Saraceno Registered Member

    Joined:
    Mar 24, 2008
    Posts:
    2,404
    Not too sure what it could be. One of the sponsored google ads might have thrown up your alert.

    See:
    http://www.browserdefender.com/site/carbuyingtips.com/

    Bascially those google links, every so often but I'm seeing it more frequently, do point users to malicious sites.
     
  9. raven211

    raven211 Registered Member

    Joined:
    May 4, 2005
    Posts:
    2,567
    Some very random adresses on that report would look like typical Conficker-pages to me.
     
  10. Espresso

    Espresso Registered Member

    Joined:
    Aug 1, 2006
    Posts:
    975
    The image in the top left corner is hosted at TQLKG.COM. I have it in my HOSTS file already but I doubt if it would be the end of the world if the image showed up.
     
  11. Boost

    Boost Registered Member

    Joined:
    Feb 2, 2007
    Posts:
    1,293
    Checked it out,nothing happening on my end :D
     
  12. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    The connect out alert to tqlkg.com is to load an image, which, when clicked, will take the user
    to anrdoezrs.net:

    Code:
    <a href="http://www.anrdoezrs.net/click-267874-3885710" target="_blank">
    
    <img height="126" alt="New & Used Cars" src="[B]http://www.tqlkg.com/image-267874-3885710[/B]" width="126" border="3"></a>
    The browser is redirected to yceml.net where the image is stored:

    car-1.gif

    I see that it is an animated GIF which I didn't notice, since I keep animation disabled:

    car-3.gif

    The image is place at the upper left of the page.

    car-2.gif

    From the code above, it appears that anrdoezrs.net has probably paid for the ad since upon clicking, the user is taken to that site for quotes.

    However there is a redirect which eventually lands the user at

    You will notice that the numbers 3885710 appear both in the site and image URLs, probably referencing carbuyingtips.com as the starting point in the chain. With each click, a few coins are deposited somewhere!

    Such is the nature of internet advertising!

    ----
    rich
     
    Last edited: Apr 10, 2009
  13. Saraceno

    Saraceno Registered Member

    Joined:
    Mar 24, 2008
    Posts:
    2,404
    Great info there Rmus, thanks for that.

    That's why in the first pic from Tarnak, the small image in the top left-hand corner was blocked by Mamutu/AM. Tarnak, was that alert from using AM with surf protection?
     
    Last edited: Apr 10, 2009
  14. Tarnak

    Tarnak Registered Member

    Joined:
    Feb 5, 2007
    Posts:
    3,875
    Saraceno,I think you hit the nail on the head.:) :D
     

    Attached Files:

  15. jmonge

    jmonge Registered Member

    Joined:
    Mar 20, 2008
    Posts:
    12,883
    Location:
    Canada
    exactly:) got to love the A2 surf protection;) i personally tested this application and all i can say is amazing:) , hats off guys:cool:
     
  16. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Nice explanation. Thanks
     
  17. Tarnak

    Tarnak Registered Member

    Joined:
    Feb 5, 2007
    Posts:
    3,875
    I concur, even if a little over my head. :D
     
  18. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    You are all welcome.

    Seeing what happens on this site is instructive, for it applies to many web sites.

    1. Often, alerts turn out to be false alarms, triggered by whatever criteria the program uses in evaluating sites. Hence, some site advisors do not flag this URL. McAfee Site Advisor, for example, reports:

    http://www.siteadvisor.com/sites/tqlkg.com/summary/
    2. But tqlkg.com is not even the main player, since the image is actually hosted on yceml.net. This is very common, and not necessarily devious or malicious.

    3. Regarding the image as a hyperlink: It used to be that hovering the mouse to see the URL before clicking gave you some indication of where you were going. This is no longer reliable, since the site in this case, anrdoezrs.net, is just a hosting site which redirects to cars.com/go/buyIndex...... The user has no idea where the final destination is. A quick search in this case didn't reveal anything bad about this site.

    4. If the image/hyperlink that loaded turned out to connect to a malicious site that served up malware, the original site, carbuyingtips.com, might not even be aware, since many sites use rotating ads and depend on their hosting company to check them out. Hacking and infiltration can occur in many places in the chain.

    Search the internet for "malicious advertisements" or "banner ads" for some good reading.

    ----
    rich
     
    Last edited: Apr 10, 2009
  19. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,633
    Location:
    U.S.A. (South)
    Oh Yes!

    The old fashioned multi-redirect rotation is been used for years, some for simple safe ads but many times just to throw a user off-track from their initial inquiry, some with not so innocent motives.

    Thanks author and to Rmus as usual who is johnny-on-the-spot regarding such matters, mostly the malicious ones. Ugh!

    EASTER
     
  20. Saraceno

    Saraceno Registered Member

    Joined:
    Mar 24, 2008
    Posts:
    2,404
    It's not malicious, but redirects can still confuse and trick a novice user. Only today I was reading a blog, thought the blog sounded ok, clicked on the 'home' link and was taken off to buy some product. The blog was one of those fake blog sites where every link on the page was a redirect! :ouch:
     
  21. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,633
    Location:
    U.S.A. (South)
    A single SAFE redirect is tolerable i think, but multiple re-directs especially to ads no one is remotely interested in is a waste of bandwidth on their end, and conjures up suspicion on the user end.

    It's so stupid & immature IMO to still be playing Windows 98 games in the 21st Century Computing Internet World, but here we still are folks, being slapped in the face yet again with the same old tactics now years after. And how about those same old pop under ads after closing the page or on closing, surprise! look at this screensaver. The exact same ones advertised years ago.

    Ho Hum :doubt:
     
  22. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Yep,

    Great explanation by R(e)mus, son of the Trojan Aeneas, only this Rmus survives all sorts of attacks and won't be defeated by Romulus :D Wonder what his relation with Lone Wolf (Lupa Capotilane?) is

    Thanks Kees
     
  23. maddawgz

    maddawgz Registered Member

    Joined:
    Aug 13, 2004
    Posts:
    1,276
    Location:
    Earth
    i think i had a Mamutu liscence for 1yr but i cant remember my email used lol..sure it was from GAOTD darn.
     
  24. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,633
    Location:
    U.S.A. (South)
    This is IMHO a welcome complimetary bonus of having a truly genuine article when it comes to a reliable Behavioral Blocker and the exact way that it should process it's information then react with dispatch accordingly along with a DENY option.

    EASTER
     
  25. andyman35

    andyman35 Registered Member

    Joined:
    Nov 2, 2007
    Posts:
    2,336
    Agreed 100% :thumb:
     
Thread Status:
Not open for further replies.