Freeware to test a specific web site php URL for malware?

[jan]

The obfuscation is to hide its spamminess not its maliciousness.

This makes sense because the original URL looked like it was
constructed probably so that it could be easily changed to appear
unique to the AOL spam filters (the hacked address was an AOL address).

The original address ended with PHP, so, my guess is that it was
a script, that pointed the user to the final destination (which
was the coffee-bean web page).

The VT results are worthless...

I have to tend to agree (for the most part) with you, because
the virustotal scanner said the initial URL was clean; but, if
we went to the trouble of actually *visiting* the initial URL,
it redirects us to the secondary url, which virustotal finds
has 4 malware red flags.

So, VT "worked" but only *after* I was forced to visit the site
(Yes, I know BD visited it for me - but - really - shouldn't
the VT scanner have been more intelligent (and not give a false
negative result)?

I'll try those other two sites now, and report back.

 

[jan]

zulu.zscaler or wepawet would be a better choice

Trying just http://zulu.zscaler first ...

Given this original suspected URL:
aochi dot hideo dot perso dot neuf dot fr slash 876569.php
I pasted that into http://zulu.zscaler.com where the first
problem I had was nothing worked, so I had to again turn off
all my script blockers.

Then, I tried to answer the zulu.zscaler "user agent" question.
However, I have FirefoxESR 17.0.8 (RHEL6) which isn't one of the
options, so I picked Firefox 8, which was the closest available.

I didn't know what to put for the "Referrer" so I left it blank.

The results for the primary URL came up as "5/100 (Benign)".
a. This URL has been analyzed by Zulu in the past
b. Analyzed on: 09/17/2013 at 18:33 GMT
c. Redirections: greencoffee dash fat dash loss dot com/?20/12 (302 Moved Temporarily)
d. IP Address: 86.65.123.70, Country: France
e. Netblock size has size 511

Well, at least *that* site figured out there was a redirect involved,
so, this is better than virustotal (which didn't figure that out).

Then I repeated this with the secondary URL (the coffee page):
greencoffee dash fat dash loss dot com ?20/12
That was red flagged as 100/100 Malicious
IP Address: 46.249.59.209 located in the Netherlands
a. Blacklisted in multiple real-time domain blocklists
b. Blacklisted in multiple real-time domain blocklists
c. Netblock size has size 255
d. IP address has been identified as risky by one/more sources

So far, here's my observations:
A. VirusTotal = not the best choice because it doesn't know about the redirect
B. Zule.Scaler = a better choice because it at least tells you about the redirect
C. I will try wepawet next

 

[jan]

zulu.zscaler or wepawet would be a better
choice for checking webpage maliciousness

Going to http://wepawet.com, I was a bit confused because
the home page contains links to "find a dentist" in addition
to "malware scan", and looking closely, I see it says:
The domain wepawet.com is for sale!
To purchase, call 866-836-6791 or click here to BUY NOW!

I then tried the obvious first:
http://wepawet.org
http://wepawet.net
But, they both came up as not being found.

Googling for "wepawet", I find the probable site is:
http://wepawet.iseclab.org

Going to that site, I'm not sure if what "Resource Type" I
should select, so I leave it at the default (JavaScript/PDF
versus Flash).

Pasting the primary URL into wepawet.iseclab.org:
aochi dot hideo dot perso dot neuf dot fr slash 876569 dot php
It reports:
a. No exploits were identified.
However, it does recognize the redirect; but it doesn't
report the redirect as being bad.

Pasting the secondary URL into wepawet.iseclab.org:
greencoffee dash fat dash loss dot com slash ?20 slash 12
It reports:
a. Jsand 2.3.6 suspicious
b. No exploits were identified.

I'm not sure what to make of this yet.

Primary URL reports:
http://wepawet.iseclab.org/view.php?hash=a72ef81b6e204343029a58d5c3e57d7d&t=1379444248&type=js
http://wepawet.iseclab.org/domain.php?hash=5442c7497d7b3d9b0edbd206163eb9fb&type=js

Secondary URL report:
http://wepawet.iseclab.org/domain.php?hash=0cf736d200567ccffe1d1f2331452345&type=js

 

[jan]

It *may* mean that most AV companies are slow off the blocks ..... OR that
the detections found are 'false positives'.

Does this help you?

As the OP, I'm thankful you guys provided at least three web
based malware scan sites which purport to analyze a URL.

1. https://www.virustotal.com/en-gb/
2. http://zulu.zscaler.com
3. http://wepawet.iseclab.org

Paradoxically, the VirusTotal seemed to give the most information,
but, only after actually visiting the primary link in order to obtain
the secondary link, which was reported as malware (mostly based on
blacklists it seemed).

The next two, Zulu and wepawet at least figured out there was a
redirect. Zulu.Zscaler clearly flagged the secondary URL as
malicious, while WepaWet deemed it only suspicious.

So, clearly these are sites you don't want to visit, but, I'm not
quite so sure whether malware is actually involved or just spamming.

 

[jan]

aochi dot hideo dot perso dot neuf dot fr/js/jquery-1.8.2.min.js
comes up clean, but if you click on Go to downloaded file analysis
the file is called keygen.exe

I'm not sure how you found that javascript URL as it didn't show up
for me.

But, I don't know anything about javascript, so, I might easily
have missed a clue that you picked up somewhere in the analysis.

I didn't see anything called "keygen"; but I too would be a bit
sensitive about a file named that!

 

[jan]

Does VT follow links? What did they think of
aochi dot hideo dot perso dot neuf dot fr/js/jquery-1.8.2.min.js

I don't know if VirusTotal "follows" links, but, I can say that
VirusTotal did *not* pick up the fact that the original php
script caused a redirect (whereas the other two suggested URL
scanners *did* notice the redirect going on).

Plugging that "js" link above into:
https://www.virustotal.com/en-gb/#url
I get:
URL already analysed
This URL was already analysed by VirusTotal on 2013-09-17 17:55:01 UTC.
Detection ratio: 0/39
You can take a look at the last analysis or analyse it again now.

Results here:
https://www.virustotal.com/en-gb/ur...f2f58e0f52008e2db8afd960fd33adf9a86/analysis/

 

[jan]

The report at your earlier link was a report on the redirected coffee bean
site, not the URL posted site.

I'm a bit confused, but, here's what I found out about redirect detection.

Tested primary URL on these four sites:
1. https://www.virustotal.com/en-gb/

2. http://zulu.zscaler.com

3. http://wepawet.iseclab.org

4. http://www.google.com/safebrowsing/diagnostic?site=http://example.com/path/file.htm

RESULTS:
1. Virustotal did not detect the redirect

2. Zulu.Zscaler did detect the redirect

3. Wepawet.IsecLab did detect the redirect

4. Google Safebrowsing Diagnostics did not detect the redirect

The problem with the sites that fail to detect the redirect is that the
user is forced to actually *go* to the redirected site to find out about
it (which, by then, could be too late).

 

[jan]

Wepawet and zscaler come to mind. There are others as well, none of them
are perfect of course.

Clearly none are perfect!
Some said the two sites (primary and secondary) were clean.
Others said they contained malware.

Here are the four suggested sites, to date, to use to test URLs:

1. https://www.virustotal.com/en-gb/

2. http://zulu.zscaler.com

3. http://wepawet.iseclab.org

4. http://google.com/safebrowsing/diagnostic?site=http://xxx.com/path/file.htm

 

[jan]

VirusTotal results were problematic because it didn't
tell you that the primary URL redirected you to a secondary URL.
Neither did the Google diagnostic scan.
Luckily, the other two did.

Given that, how does this look for our recommended
Windows/Linux/Mac freeware sites to bookmark for
future scanning of suspect URLs?

(In priority order):
1. http://zulu.zscaler.com

2. http://wepawet.iseclab.org

3. https://www.virustotal.com/en-gb/#url

4. http://google.com/safebrowsing/diagnostic?site=http://xxx.com/path/file.htm

 

[~BD~]

Hi Dave,
I did visit your link, and I ran the test myself, which
showed the following:

a. BitDefender Malware site
b. Sophos Malicious site
c. Websense ThreatSeeker Malicious site
d. CLEAN MX Suspicious site

But, I'm not sure what that means, to me, and I'm definitely
unclear what to tell my siblings who had clicked on the link.

What does this mean, to a Mac/Windows/Linux user?

I'm no expert, Jan, but I don't think Mac or Linux users need be too
concerned if they had clicked on the link. I'd suggest that Windows users
check their machines with an on-line scanner such as this one
http://housecall.trendmicro.com/uk/index.html

 

[...winston]

Is there a way to test a website for malware without going to it?

Recently a family member had their mail account hijacked where an email
was sent to all their contacts, including me, and it contained a link to
the web site below:

http colon slash slash aochi dot hideo dot perso dot neuf dot fr slash
876569 dot php

Some of the family members actually clicked on the link, and found it to
be a green-coffee bean advertisement, and then they asked *me* if it
contained a virus. (The Mac & Windows users asked, not the Linux users.)

I knew enough not to click on the site but now I need to know *how* to
tell if the site contains malware.

Is there freeware I can hand this URL to that will check it out for
malware payloads?

That 'Green coffee bean' ad has been floating around for some time
across a bevy of different isp email addresses.

Not all originate from the senders email address, some with forged
headers, some from harvesting addresses from one of the faked sender's
contacts (i.e. the sender may not be compromised but one of their
contacts)...the list goes on.

 

[Mike Easter]

jan wrote:
Newsgroups: alt.comp.freeware,alt.os.linux,alt.windows7.general

Do not crosspost to any groups you aren't subscribed. I suspect that you
might not be subscribed/reading alt.comp.freeware.

 

[Mike Easter]

f/ups to a.c.f only

I'm a bit confused, but, here's what I found out about redirect detection.

Tested primary URL on these four sites:
1. https://www.virustotal.com/en-gb/

2. http://zulu.zscaler.com

3. http://wepawet.iseclab.org

4. http://www.google.com/safebrowsing/diagnostic?site=http://example.com/path/file.htm

RESULTS:
1. Virustotal did not detect the redirect

2. Zulu.Zscaler did detect the redirect

3. Wepawet.IsecLab did detect the redirect

4. Google Safebrowsing Diagnostics did not detect the redirect

The problem with the sites that fail to detect the redirect is that the
user is forced to actually *go* to the redirected site to find out about
it (which, by then, could be too late).

It is not necessary to 'go to' a site (with a loose browser) to
determine the redirected site.

There are tools like websniffer or even samspade's or other access to wget.

 

[FromTheRafters]

Trying just http://zulu.zscaler first ...

Given this original suspected URL:
aochi dot hideo dot perso dot neuf dot fr slash 876569.php
I pasted that into http://zulu.zscaler.com where the first
problem I had was nothing worked, so I had to again turn off
all my script blockers.

Then, I tried to answer the zulu.zscaler "user agent" question.
However, I have FirefoxESR 17.0.8 (RHEL6) which isn't one of the
options, so I picked Firefox 8, which was the closest available.

I didn't know what to put for the "Referrer" so I left it blank.

The results for the primary URL came up as "5/100 (Benign)".
a. This URL has been analyzed by Zulu in the past
b. Analyzed on: 09/17/2013 at 18:33 GMT
c. Redirections: greencoffee dash fat dash loss dot com/?20/12 (302 Moved Temporarily)
d. IP Address: 86.65.123.70, Country: France
e. Netblock size has size 511

Well, at least *that* site figured out there was a redirect involved,
so, this is better than virustotal (which didn't figure that out).

Then I repeated this with the secondary URL (the coffee page):
greencoffee dash fat dash loss dot com ?20/12
That was red flagged as 100/100 Malicious
IP Address: 46.249.59.209 located in the Netherlands
a. Blacklisted in multiple real-time domain blocklists
b. Blacklisted in multiple real-time domain blocklists
c. Netblock size has size 255
d. IP address has been identified as risky by one/more sources

So far, here's my observations:
A. VirusTotal = not the best choice because it doesn't know about the redirect
B. Zule.Scaler = a better choice because it at least tells you about the redirect
C. I will try wepawet next

VT should not have been suggested in the first place since it isn't
what the OP asked for but is instead a file submission scanner.

 

[~BD~]

VT should not have been suggested in the first place since it isn't
what the OP asked for but is instead a file submission scanner.

You are mistaken, FTR - VT fulfils BOTH functions!

https://www.virustotal.com/en-gb/#url

 

[FromTheRafters]

Clearly none are perfect!
Some said the two sites (primary and secondary) were clean.
Others said they contained malware.

Here are the four suggested sites, to date, to use to test URLs:

1. https://www.virustotal.com/en-gb/

2. http://zulu.zscaler.com

3. http://wepawet.iseclab.org

4. http://google.com/safebrowsing/diagnostic?site=http://xxx.com/path/file.htm

As you have no doubt learned, some interpreting of results will often be
needed. I have sent URL's known to be BlackHole Exploit Kit built
landing pages and they have been reported as benign or sometimes
suspicious when it is known (to me) that it is indeed malicious. They
explained to me that the scanner looks for 'exploit code' or
'shellcode' to be in the URL's content - if it doesn't find any, it
doesn't tag it as malicious. It can however tag it as suspicious if it
looks too much like another that *is* malicious.

To me, redirects are not malicious in and of themselves so it is not
surprising that a file scanner doesn't report it as malware. I don't
think that VT even follows links that aren't obfuscated let alone ones
that are - and is not the tool that you asked for. If you dig out (or
get a final 'malicious' file from a sandbox) the target malware file
you can use a file submission service to get more data about the file.

jotti.org
virustotal.com
virscan.org

are file submission scanners.

 

[FromTheRafters]

Given that, how does this look for our recommended
Windows/Linux/Mac freeware sites to bookmark for
future scanning of suspect URLs?

(In priority order):
1. http://zulu.zscaler.com

2. http://wepawet.iseclab.org

3. https://www.virustotal.com/en-gb/#url

4. http://google.com/safebrowsing/diagnostic?site=http://xxx.com/path/file.htm

I would say just the first two, and then even take the results with a
grain of salt. If I'm not mistaken, the VT one is expecting the URL to
be a file to download and check for malware - not a URL to check out by
rendering HTML, interpreting JavaScript, and following links. Also I'm
under the impression that the Google one is a reputation based lookup
table.

 

[FromTheRafters]

That 'Green coffee bean' ad has been floating around for some time
across a bevy of different isp email addresses.

Not all originate from the senders email address, some with forged
headers, some from harvesting addresses from one of the faked sender's
contacts (i.e. the sender may not be compromised but one of their
contacts)...the list goes on.

I also noticed a reference to a GPS locator function which seemed
suspicious to me, but I have seen such ads using GPS to customize the
ad to the visitor's location. For instance the old earn money now just
like this person did (an address in your own home town) scam ad.

 

[jan]

You are mistaken, FTR - VT fulfils BOTH functions!

https://www.virustotal.com/en-gb/#url

It does.

At first, with all scripts blocked, VT didn't even show the URL
form; but once I unblocked scripts, the form came up for pasting
in a URL.

Still, VT wholly missed the redirect, so, it can be used as a
backup (once you already know there is a redirect); but it can't
be (reliably) used as a primary scan.

 

[FromTheRafters]

You are mistaken, FTR - VT fulfils BOTH functions!

I see that now, thanks.