Jump to content
adambiser

Website blocked. Please review

Recommended Posts

This is with the Firefox Browser Guard (at least).

Quote

 

Website blocked due to trojan

Website blocked: winwolf3d.dugtrio17.com

Malwarebytes Browser Guard blocked this website because it may contain malware activity.

 

There is a download in that subdomain that gets false positives.  I've recompiled it hoping that would make it a little better.  ESET MOD32 would delete the old download, but doesn't delete the new one.

Would you review this site please?  If there is an issue still, please let me know.

Thanks.

Share this post


Link to post

VirusTotal.com has two vendors listing the site as "malware" and one as "malicious".  I'm trying to get more info before I can proceed further.

Share this post


Link to post

The website block must remain in effect.  It is listed as hosting a trojan.

Share this post


Link to post

Can you provide any additional information so it can be removed?  As mentioned, some vendors (ESET included) had one of the downloads as a false positive.

I've ran everything through ESET and it's clean now (after recompiling the false positive).

Share this post


Link to post

I have requested more information, but haven't received a reply yet.  Sorry for the delay.

Share this post


Link to post

Thanks.  I appreciate it.  In the meantime, I've sent a false positive report to "Dr Web" and signed up for Yandex's garbage "webmaster" site and requested they re-review it as well.

Those are the two that I see as reporting false positives for the site on virustotal.com.

Share this post


Link to post

Dr Web has removed the site from their blacklist.  Waiting on Yandex Safebrowsing now.

https://www.virustotal.com/gui/url/493ea005230a240382db924c87018af03ea87f0b0650bfa6e94b9839955cf6b1/detection

Norton at least gives some details.  "IMFCreator-1.0.17.3.exe" is a false positive and not available on the site anymore.  I've recompiled both the executable and the installer and posted a newer version.

Share this post


Link to post

This one may be the root cause. It gets more hits than higher level folder or the domain itself.  I just ran that URL through VirusTotal right before making this post, so either VirusTotal has some history behind their evals or there is still something out there.  Plug the following URL into VirusTotal and see what I base my comment on.

winwolf3d.dugtrio17.com/download/IMFCreator

 

Edited by gonzo

Share this post


Link to post

Yeah, that's the one that gets the false positives.

Approximately how long does it take for the checks that VirusTotal uses to re-evaluate?  I'm assuming that since Dr. Web has cleared it and once Yandex and Norton get around to re-evaluating the site/file that these others will eventually follow suit.

Each site is dumber than the next for reporting false positives.  This experience is actually making me trust them less.  (Looking at Fortinet requiring a description for how the software does boot execution and browser integration after I've just said that it does neither of the two.)

Share this post


Link to post

Now ESET is flagging the new download of that file.

It's just a simple program to convert MIDI music files to IMF/Adlib music files to use with Wolfenstein 3D modding, but I can't keep going after all these AV sites, so I've removed it completely from the website.

Share this post


Link to post

Just so you know McAfee also has your site flagged. Go to https://sitecheck.sucuri.net/results/winwolf3d.dugtrio17.com/download/IMFCreator and you'll see that McAfee,Yandex, and Norton blacklist it at the subdomain and full path level. McAffe shows the exe and a php file as being dangerous. May need to check those out. Do you possibly use any shared repositories off say github or elseware that may be infected? It seems to be happening alot these days.

Share this post


Link to post

I've checked out everything.  I'm just an indie developer trying to help out the Wolf3D modding community by providing these tools.  I don't have the resources to track down every AV software package flagging the file, so I'm just going to start removing things.  These were personal projects that have been around since before github existed and written almost completely from scratch by myself, but the amount of time it will take to fight these false positive reports is becoming overwhelming.  downloads.php is a file I wrote myself and is probably being flagged because it points to IMFCreator.

For example, Fortinet's submission page was the dumbest I've experienced requiring me to explain how the program does certain things that could be malicious after I've already said it does not.  They did this for six questions and the end result is that they still think it's malicious.  I'm actually using a subdomain from someone else's site and that the fact that this stuff is causing problems is putting me in such a bad situation.  It's just better for me to just remove the downloads so the reputation of his site will hopefully return to normal.

The funny thing is that now that I've tried to figure out how to compile the program in a way that AV programs don't think it's a virus has had the unintended result that they now see it as a polymorphing virus.  I'm giving up.

Share this post


Link to post

Unless you just gotta have this tonight, I would recommend holding off on any more changes.  I got one of our researchers to look at the offending EXE, and he did not see any issues.  If there is a PHP involved as well, that has not been looked at.  If it is as simple as you say it is, it would not likely affect the outcome.  After hearing back from the researcher, I sent something off to the people who are in charge of blocks for our main products,.  I need them to remove the block.  I have not gotten their attention yet.  Its possible that European crew are involved, and if so, they are still sleeping.  I cannot effect a true change by adding a whitelist entry for Browser Guard, because only people who use it and do not use the main Malwarebytes product would benefit.  If they use the main product (or both), the block for the main product would overrule anything I could do.

I hope that all makes sense.  I am monitoring for any changes.  They just haven't happened yet.

Share this post


Link to post

If it helps for me to re-add the IMFCreator download, I will, but I took it down so it doesn't affect the reputation of dugtrio17 any more than it already has.  As I mentioned, I was using a subdomain of his and since this is getting flagged, his site is flagged as well and I feel obligated to get it straightened up.  The php file is there and it's just a simple file to keep keep track of download counts for the database.

I do understand what you're saying and thank you for your time and patience in this.

Share this post


Link to post

The primary block has been removed.  Try it now, so I can see if there's anything else I need to do.  Sorry this has taken so long.

Share this post


Link to post

Thank you again for your time and patience.  It looks good through the browser add-on.  I'm going to hold off on re-posting IMFCreator until I get the all-clear from several AV vendors and things start to clear up.  If I add it back while some are still flagging it, will that cause the site to be blocked again?

Share this post


Link to post

I honestly don't know if any of their results are historical or delayed (as compared to real-time testing), so I don't have a good answer for you.  I think it would be best to get to a known, stable place before making any further changes though.  If you see good results across the board, that is the time to start tinkering.  Otherwise, it might be a game of catch-up.

Share this post


Link to post

Hi, the Firefox extension is blocking the site again.  Same message.

Quote

Website blocked due to trojan

Website blocked: winwolf3d.dugtrio17.com

Malwarebytes Browser Guard blocked this website because it may contain malware activity.

I haven't changed or added anything to it.

Share this post


Link to post

That 1 was still active when it was cleared on Sept 9.  Yandex finally cleared it today.  Just clicked reanalyze and it's at 0 now.

Share this post


Link to post

I see on the site they say the file was removed. Whether or not the file is good or bad it is still hosted even though said it's not

http://winwolf3d.dugtrio17.com/downloads/IMFCreator-1.0.17.4.exe

Just downloaded it, so it's there and could/would be reason for ongoing flagging of the file.

40 out of 68 engines rescanned the file today and detect it.

https://www.virustotal.com/gui/file/82ec469d0324df9e3925ad11ec23140e4e92a3b837693765d022b70d1016d588/detection

 

Share this post


Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.