Question If the site contains malware, should frontline page be blocked

[Moonhorse]

One of the games i play is runescape/oldschool runescape and its quite popular game in mmorpg genre. Typical to mmorpg games is that every game tends to have their own currency like runescape has gold as currency....this gold is sold on 3rd party sites /blackmarkets for real money so the game is used as in real life money maker for some people

things i have seen in runescape to happen
- doxxing/ ddos
- botting for levels / gold
- advertising malware sites/ gold / service selling sites
+ many more illegal stuff

Currently there is phishing campaing going on wich noone is talking about ( i mean the runescape community)
In game there are bots advertising this runescape private server that once existed but was closed by jagex ( owns runescape)
Not many people know that the server made comeback with new name, but these phishers are using servers old name for this phishing campaing

In game bots are advertising this game like this

and when you type ikov into google

The logo, texturing and the site itselfs looks like legit private server

but if you download the client you download malware that is somekind of infostealer?

VirusTotal

VirusTotal

www.virustotal.com

This scam has been going for 4 months wich is kinda strange, i mean there is every world in runescape being spammed by this server and still there is many antivirus vendors that wont block the site

My question is that, should the ''frontline'' page always be blocked and described as malware if the site itself contains malware but isnt malicious otherwise?

frontpage: VirusTotal

ps. reported to sophos, trend micro and mcafee and only sophos blocked the frontpage yet

 

[TairikuOkami]

Malware is generous when it comes to paying for ADs, thus services and search engines are reluctant to take them down. Users have to protect themselves.

 

[Parkinsond]

The logo, texturing and the site itselfs looks like legit private server

Edge blocked loading the website

and when choose continue, NextDNS blocks it again

 

[piquiteco]

Spoiler: Osprey Block

 

[Moonhorse]

But should we be happy that most of engines probably detect that JAR file or should they block the frontline page aswell?

But im starting to think that antiviruses and browsers are bit late to detection of phishing/malware frontline sites and dns is kinda ahead of them like controld/nextdns are doing pretty well against them. Also what i see going throught phishing sites is that often bashed webroot is top of detecting these sites but its antimalware engine is worst there, whats their secret about being so good against malicious sites?

 

[Parkinsond]

Spoiler: Osprey Block

View attachment 290134

Norton safe web component of Osprey is detecting every fly and mosquito in the perimeter of 100 miles and misses this one!

 

[Trident]

Edge blocked loading the website
View attachment 290132
and when choose continue, NextDNS blocks it again
View attachment 290133

When you see that, it’s not Edge. It’s NextDNS. The warning from Edge appears because for NextDNS to redirect you, you have to install the root certificate.

Edge didn’t block anything.

 

[Parkinsond]

When you see that, it’s not Edge. It’s NextDNS. The warning from Edge appears because for NextDNS to redirect you, you have to install the root certificate.

Edge didn’t block anything.

The only extension which blocked the website was B trafficlight; missed by the rest.

 

[Moonhorse]

@Trident do you have any idea why is webroot so good blocking malicious pages, when its antimalware engine is that poor meanwhile?

also if you have mcafee extension enabled , the bitdefender extension doesnt work at all

 

[Trident]

do you have any idea why is webroot so good blocking malicious pages, when its antimalware engine is that poor meanwhile?

Because they have several patents on real time analysis and reputation analysis. They’ve been doing it for around 2 years now.

 

[Parkinsond]

Because they have several patents on real time analysis and reputation analysis. They’ve been doing it for around 2 years now.

The jar file is not detected by several major AVs, including McAfee; could it be a false positive by B and K?

 

[ForgottenSeer 123960]

The jar file is not detected by several major AVs, including McAfee; could it be a false positive by B and K?

View attachment 290137

A key point is that the engines used on VirusTotal are often command-line versions, and sometimes companies specialize their engines for VirusTotal, potentially employing different heuristics or levels of aggressiveness compared to the desktop versions that home users have installed. This might mean desktop versions could include features like behavioral analysis, cloud-based detection, and personal firewalls that the VirusTotal engines might not utilize or rely on differently.
Potential detection rate differences, VirusTotal engines might sometimes have a lower malware detection rate compared to their full desktop product equivalents.

 

[Parkinsond]

Potential detection rate differences, VirusTotal engines might sometimes have a lower malware detection rate compared to their full desktop product equivalents

and this applies to all contributing AV engines to VT, so this means those AVs which did not detect the jar file rely on behavioral analysis and have less efficient signatures than those which detected it, such as B and K.

 

[ForgottenSeer 123960]

and this applies to all contributing AV engines to VT, so this means those AVs which did not detect the jar file rely on behavioral analysis and have less efficient signatures than those which detected it, such as B and K.

They typically deploy different engine versions and features. VT is a valuable second opinion but has limitations.

 

[Trident]

and this applies to all contributing AV engines to VT, so this means those AVs which did not detect the jar file rely on behavioral analysis and have less efficient signatures than those which detected it, such as B and K.

That’s one file out of millions new malware pieces every day. They all have engines that detect them and engines that don’t.

 

[Parkinsond]

They typically deploy different engine versions and features

Some of AVs provide VT with behavioral analysis while some other AVs do not?

 

[Parkinsond]

That’s one file out of millions new malware pieces every day. They all have engines that detect them and engines that don’t.

Occasional situations, such as this file, contribute to malware tests for ranking AVs.

 

[piquiteco]

When you see that, it’s not Edge. It’s NextDNS. The warning from Edge appears because for NextDNS to redirect you, you have to install the root certificate.

I think @Parkinsond hasn't woken up yet on how to use NextDNS? Wake up, my friend Lol

 

[ForgottenSeer 123960]

Some of AVs provide VT with behavioral analysis while some other AVs do not?

Yes that is correct, some of the antivirus engines aggregated by VirusTotal incorporate behavioral analysis in their detection methodologies, while others primarily rely on signature-based detection or heuristics. While some individual antivirus engines do leverage behavioral analysis, the level and type of analysis can vary significantly between vendors and may not always mirror the full capabilities of their end-user products.

 

[Trident]

Yes that is correct, some of the antivirus engines aggregated by VirusTotal incorporate behavioral analysis in their detection methodologies, while others primarily rely on signature-based detection or heuristics. While some individual antivirus engines do leverage behavioral analysis, the level and type of analysis can vary significantly between vendors and may not always mirror the full capabilities of their end-user products.

That’s indicated on VirusTotal as well. Not sure why we have to cite and recite something that’s been clearly stated on VT for years.