Overblog
Editer l'article Suivre ce blog Administration + Créer mon blog
24 mars 2013 7 24 /03 /mars /2013 17:17

VirusTotal URL content scan bypass example

While searching for virtualization back-up solutions for ESXi, I came accros the following website:

http://joealdeguer.com/backing-up-and-restoring-esxi-virtual-machines/index.php

 

 

But the proxy server that filters internet browsing, where I am at the moment, yelled a warning and blocked the page:

Squid_clam_URL_blocking_240313-copie-1.PNG

(Yes, the is a Squid proxy server powered, and antivirus engine is ClamAV).

 

As you can see, Clam says "PUA.Script.Packed-1.

 

Now, let's try VirusTotal for this same URL:

 

https://www.virustotal.com/en/url/9be98ad47adc382824285f27289bd20cc9f2b71ba1f5761a8c15ecb95b877a1b/analysis/1364141731/

 

Well... nothing found! even Clam...

 

URL Scanner Result
ADMINUSLabs Clean site
AlienVault Clean site
Antiy-AVL Clean site
Avira Clean site
BitDefender Clean site
C-SIRT Clean site
CLEAN MX Clean site
Comodo Site Inspector Clean site
Dr.Web Clean site
ESET Clean site
Fortinet Unrated site
Google Safebrowsing Clean site
K7AntiVirus Clean site
Malc0de Database Clean site
Malekal Clean site
MalwareDomainList Clean site
MalwarePatrol Clean site
Minotaur Clean site
Netcraft Clean site
Opera Clean site
ParetoLogic Clean site
Phishtank Clean site
Quttera Clean site
SCUMWARE.org Clean site
SecureBrain Unrated site
Sophos Unrated site
SpyEyeTracker Clean site
Sucuri SiteCheck Clean site
URLQuery Unrated site
VX Vault Clean site
Websense ThreatSeeker Unrated site
Wepawet Unrated site
Yandex Safebrowsing Clean site
ZDB Zeus Clean site
ZeusTracker Clean site
zvelo Clean site

 

 

And no, don't tell me it's because it's a PUA, and therefore it's not reported in the main view...!  The "additional information" tab says:

 

Websense ThreatSeeker URL category
Uncategorized.
Quttera domain information
See Quttera report
Sucuri SiteCheck domain information
Full threat report
Webutation domain information 
 Verdict..................: unsure Adult content............: no Safety score.............: 70

Take a look at the full Webutation review.

URL after redirects
http://joealdeguer.com/backing-up-and-restoring-esxi-virtual-machines/
Network location to IP address resolution
108.56.209.3
Response code
200
Response headers 
 via: HTTP/1.1 GWA
 x-powered-by: PHP/5.3.10-1ubuntu3.6
 x-google-cache-control: remote-fetch
 vary: Accept-Encoding
 server: Apache/2.2.22
 link: <http://wp.me/p2SbCr-cs>; rel=shortlink
 date: Sun, 24 Mar 2013 16:15:36 GMT
 content-type: text/html; charset=UTF-8
 x-pingback: http://joealdeguer.com/xmlrpc.php
Response content SHA-256
82132433d7fe11cacada4b1a9573c9f2b292702ed7198b89e7078d9a35e1dcf5
Google trends for the term joealdeguer:

See full report
Alexa daily reach
Estimated percentage of global internet users who visit joealdeguer.com:

 

 

Here, OK the URL by itself is not categorized as "malicious", but at least one AV engine (Clam) should trigger a warning on VT, if it really matches the AV regular behavior.

 

In a nutshell, you may want to try VirusTotal for URL scan, but even if it does not give you any result, I do suggest you to manually download the content targetted by the URL, and then upload it to VirusTotal, to double check.

 

 

Small update:

 

if you download the webpage, save it as " web archive" in IE, and upload that to VT, here are the results:

https://www.virustotal.com/en/file/1d9df59ad8b58e5101361b45b2a4ae06fcea2f9e814acedcc3c335c7a178cc6c/analysis/1364142725/

Yes, there you see that Clam does detect a PUA (additional information tab).

Partager cet article

Repost0
Published by Philippe V. - dans Veille sécurité
commenter cet article

commentaires