×
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
bshades
Former Member
Message 1 of 9
‎12-20-2012 02:54 PM

SiteAdvisor False Positive

Jump to solution

Dear McAfee SiteAdvisor,

May I please request our website to be rescanned. Some members have reported it being in the red zone.

Links:

http://bshades.eu

Kind Regards,

Adam Eriksson

0 Kudos
Reply
1 Solution

Accepted Solutions
Hayton
Reliable Contributor
Reliable Contributor
Message 6 of 9
‎05-20-2014 09:08 PM

Re: (Alleged) SiteAdvisor false positive : VINDICATION.

Jump to solution 
bshades wrote:
I can't find anything related to your claims ... bshades.eu isn't malicious. End of story.

End of story? No, not then. Now is another matter. 

"bshades.eu isn't malicious"?  

***ROFL***

It's nice to be proven right about a site analysis, even if quite some time after the event. What took them so long? Obviously the Feds don't bother reading the posts in this place (good thing, bad thing. Take your pick).

http://hackerforhirereview.com/bshades-eu-blackshades-scam/

http://www.hackforums.net/showthread.php?tid=3769093  (Available from Google cache)

That site was as malicious as hell, but its days have ended. I was reading this week all about the European arrests of some idiot hackers who'd bought Blackshades, and a website was mentioned which rang a bell : I'd seen that domain name before, and it was in a thread here.

Many of those hackers now under investigation bought Blackshades through bshades.eu : one of the site's operators was Alex Yucel, who was arrested in Moldova about 6 months ago. He is said to be one of the co-creators of Blackshades. The other co-creator (Michael Hogue) was arrested in the States in 2012.

The Blackshades story is everywhere, but here are a couple of links to it :

http://krebsonsecurity.com/2014/05/blackshades-trojan-users-had-it-coming

http://online.wsj.com/news/articles/SB10001424052702303409004579566310503798566

http://www.fbi.gov/news/stories/2014/may/international-blackshades-malware-takedown/international-bl...

http://www.fbi.gov/newyork/press-releases/2014/manhattan-u.s.-attorney-and-fbi-assistant-director-in...

The bshades.eu website has now been seized by the FBI and closed down.

bshades shut down.PNG

So there you have it. Vindicated.

Message was edited by: Hayton on 21/05/14 05:14:36 IST

View solution in original post

Reply
8 Replies
Hayton
Reliable Contributor
Reliable Contributor
Message 2 of 9
‎12-20-2012 04:46 PM

Re: SiteAdvisor False Positive

Jump to solution

Yes, I see the warning. It mentions "files that contain viruses, spyware, or other potentially unwanted programs".

The problem with believing that warning is that when I went to SiteAdvisor to see what it said about the site, I found one file mentioned - "4.7.1.rar", rated Green. The site page also shows bshades.com, with an amber warning. The SiteAdvisor page for that site shows it as Grey, untested. So there's a discrepancy here which looks baffling.

The reason for this, and several other cases that have appeared recently, is almost certainly that there are right now two versions of SiteAdvisor out there, hosted on different servers - the existing version, and its replacement. And they're delivering different verdicts on the same site. I don't know why for sure, but something's clearly changed in the risk-detection sections of the program. I've already notified McAfee of the discrepancies, and politely suggested that a little regression testing might be in order.

I think the kindest way to describe SiteAdvisor at the moment is 'confused'. And the only recourse a site owner has is either to re-submit the site for testing via the new SiteAdvisor results page (if you can access it - it all depends which server you're connecting to) or to contact SiteAdvisor and tell them what's happened.

The new site page for your site, according to the page I've got loaded, is

http://www.siteadvisor.com/sites/bshades.eu

The contact information for SiteAdvisor is HERE.

0 Kudos
Reply
Hayton
Reliable Contributor
Reliable Contributor
Message 3 of 9
‎12-20-2012 06:00 PM

Re: SiteAdvisor False Positive

Jump to solution

Whoa. Not so fast. I checked your site on Sucuri, which rated it as clean, and did a couple of follow-ups which also showed nothing.

However - I checked bshades.eu on Norton SafeWeb as an afterthought, and Norton backs up the SiteAdvisor warning. Their analysis shows two drive-by downloads, which Sucuri does not mention. So either you had a problem which is now fixed, or your site has a couple of downloads which trigger alerts by antivirus software ....

I also checked the IP address, thinking that it might be a server problem. And I find that "bshades" is really "Blackshades".

Is this Blackshades by any chance related to the Blackshades which was in the news recently? The one providing surveillance programs to the Syrian government? The one providing malware? The creator of which was arrested by the FBI in July?

http://blog.malwarebytes.org/intelligence/2012/07/blackshades-co-creator-arrested/

https://www.eff.org/deeplinks/2012/07/new-blackshades-malware

To offer a brief background, BlackShades NET is a Remote Access Trojan which allows an attacker the ability to view a victims webcam, log their key strokes, steal their files, further infect a system with subsequent malware, hold the infected system for ransom and a slew of other functionality.  It has multiple methods of unique concealment, used to hide from antivirus engines by employing the use of custom “Crypters” which obfuscates the implant binary.  It was most recently seen in the media as one of the tools used against Syrian political activists. 
For more information on BlackShades and the Syrian conflict, check out my previous posts:

Pro-Syrian government hackers appear to have moved on to another remote access tool:Blackshades Remote Controller, whose capabilities include keystroke logging and remote screenshots. EFF reported on the use of this tool in malware targeting officers of the Free Syrian Army on June 19th. Similar command and control domains suggest that this campaign is being carried by the same actors responsible for the fake YouTube attack we reported in March, which lured Syrian activists in by advertising pro-opposition videos, stole their YouTube login credentials by asking them to log in before leaving a comment, and installed surveillance malware disguised as an Adobe Flash Player update.

If your Blackshades is the same outfit as the one whose activities have been causing such a stir lately, then I take back all my comments about SiteAdvisor being 'confused'. If your site is making a Remote Access Trojan available for download then yes, it's quite likely to get blocked.

Oh look, it is.

http://www.scribd.com/doc/83173574/Black-Shades-NET-User-Guide

Urban Dictionary- blackshades.net.png

https://www.mywot.com/en/scorecard/BlackShades.net

blackshades.net - WOT.png

http://bshades.eu/bsscmds.php?cat=Surveillance

Blackshades - Remote controller.png

Good luck with SiteAdvisor when you call them.

Reply
exbrit
MVP
MVP
Message 4 of 9
‎12-21-2012 12:22 PM

Re: SiteAdvisor False Positive

Jump to solution

I see Web Of Trust WoT also red flags the site.

0 Kudos
Reply
bshades
Former Member
Message 5 of 9
‎12-26-2012 10:30 AM

Re: SiteAdvisor False Positive

Jump to solution

I can't find anything related to your claims. Please get back here with a report...

I guess you mean WebSense. If that's what you meant, then here is the new report from them after us contacting them: http://aceinsight.websense.com/report.aspx?g=97C781F5713B42AB80CDD81F03389791

bshades.eu isn't malicious. End of story.

0 Kudos
Reply
Hayton
Reliable Contributor
Reliable Contributor
Message 6 of 9
‎05-20-2014 09:08 PM

Re: (Alleged) SiteAdvisor false positive : VINDICATION.

Jump to solution 
bshades wrote:
I can't find anything related to your claims ... bshades.eu isn't malicious. End of story.

End of story? No, not then. Now is another matter. 

"bshades.eu isn't malicious"?  

***ROFL***

It's nice to be proven right about a site analysis, even if quite some time after the event. What took them so long? Obviously the Feds don't bother reading the posts in this place (good thing, bad thing. Take your pick).

http://hackerforhirereview.com/bshades-eu-blackshades-scam/

http://www.hackforums.net/showthread.php?tid=3769093  (Available from Google cache)

That site was as malicious as hell, but its days have ended. I was reading this week all about the European arrests of some idiot hackers who'd bought Blackshades, and a website was mentioned which rang a bell : I'd seen that domain name before, and it was in a thread here.

Many of those hackers now under investigation bought Blackshades through bshades.eu : one of the site's operators was Alex Yucel, who was arrested in Moldova about 6 months ago. He is said to be one of the co-creators of Blackshades. The other co-creator (Michael Hogue) was arrested in the States in 2012.

The Blackshades story is everywhere, but here are a couple of links to it :

http://krebsonsecurity.com/2014/05/blackshades-trojan-users-had-it-coming

http://online.wsj.com/news/articles/SB10001424052702303409004579566310503798566

http://www.fbi.gov/news/stories/2014/may/international-blackshades-malware-takedown/international-bl...

http://www.fbi.gov/newyork/press-releases/2014/manhattan-u.s.-attorney-and-fbi-assistant-director-in...

The bshades.eu website has now been seized by the FBI and closed down.

bshades shut down.PNG

So there you have it. Vindicated.

Message was edited by: Hayton on 21/05/14 05:14:36 IST
Reply
exbrit
MVP
MVP
Message 7 of 9
‎05-21-2014 10:56 AM

Re: (Alleged) SiteAdvisor false positive : VINDICATION.

Jump to solution

0 Kudos
Reply
Hayton
Reliable Contributor
Reliable Contributor
Message 8 of 9
‎06-26-2015 06:59 PM

Re: Re: (Alleged) SiteAdvisor false positive : VINDICATION.

Jump to solution
Epilogue  ...

http://www.hotforsecurity.com/blog/57-month-prison-sentence-for-hacker-who-created-blackshades-rat-1...


Yücel has now been sentenced to nearly five years in a federal prison.

As well as his prison sentence, Yücel has also forfeited the money he earned through his malware business and had his computer equipment seized.

Yücel’s accomplice, Michael Hogue (aka “xVisceral”) pleaded guilty in January 2013 but is still awaiting sentencing for his part in the Blackshades scheme.

https://www.fbi.gov/newyork/press-releases/2015/swedish-co-creator-of-blackshades-malware-that-enabl...


Beginning in 2010, the “Blackshades” organization, which YÜCEL owned and controlled, sold and distributed malware to thousands of cybercriminals throughout the world. Blackshades’ flagship product was the RAT—a sophisticated piece of malware that enabled cybercriminals secretly and remotely to gain control over a victim’s computer. After installing the RAT on a victim’s computer, a user of the RAT had free rein to, among other things, access and view documents, photographs, and other files on the victim’s computer, record all of the keystrokes entered on the victim’s keyboard, steal the passwords to the victim’s online accounts, and even activate the victim’s web camera to spy on the victim—all of which could be done without the victim’s knowledge. A Blackshades user could also exploit victims’ computers for Distributed Denial of Service (“DDoS”) attacks by commanding Blackshades-infected computers to repeatedly send requests to targeted websites in an effort to disable those websites and deny service from those websites to legitimate visitors.

The RAT was typically advertised on forums for computer hackers and marketed as a product that conveniently combined the features of several different types of hacking tools. Copies of the Blackshades RAT were available for sale, typically for $40 each, on a website maintained by Blackshades. After purchasing a copy of the RAT, a user had to install the RAT on a victim’s computer—i.e., “infect” a victim’s computer. The infection of a victim’s computer could be accomplished in several ways, including by tricking victims into clicking on malicious links or by hiring others to install the RAT on victims’ computers.

The RAT contained tools known as “spreaders” that helped users of the RAT maximize the number of infections. The spreader tools generally worked by using computers that had already been infected to help spread the RAT further to other computers. For instance, to lure additional victims to click on malicious links that would install the RAT on their computers, the RAT allowed cybercriminals to send those malicious links to others via the initial victim’s social media service, making it appear as if the message had come from the initial victim. For example, a RAT user could send an instant message, or IM, to potential victims that appeared to come from the initial victim, inviting them to click on a link that appeared to lead to a legitimate website, but would instead install the RAT on the potential victim’s computer.

YÜCEL co-created the Blackshades RAT with Michael Hogue and operated the Blackshades organization with the help of several employees whom YÜCEL paid to advertise the RAT on various Internet forums and to provide customer support. The RAT was purchased by several thousand users in more than 100 countries and used to infect more than half a million computers worldwide. Blackshades generated sales of more than $350,000 between September 2010 and April 2014.

0 Kudos
Reply
NotBuyingIt
Reliable Contributor II
Message 9 of 9
‎06-28-2015 01:47 PM

Re: SiteAdvisor False Positive

Jump to solution

My compliments on your research, Hayton.

0 Kudos
Reply
How Many Badges Can You Collect?
Ready for a little competition? Members like you are earning badges and unlocking perks for their helpful answers. Are you? Click here to find out.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community

* Important Terms and Offer Details:

  Subscription, Free Trial, Pricing and Automatic Renewal Terms:

  • The amount you are charged upon purchase is the price of the first term of your subscription. The length of your first term depends on your purchase selection (e.g. 1 month or 1 year).  Once your first term is expired, your subscription will be automatically renewed on an annual basis (with the exception of monthly subscriptions, which will renew monthly) and you will be charged the renewal subscription price in effect at the time of your renewal, until you cancel (Vermont residents must opt-in to auto-renewal.)
  • Unless otherwise stated, if a savings amount is shown, it describes the difference between the introductory first term price (available only to customers without an existing McAfee subscription) and the renewal subscription price (e.g., first term price vs. each year thereafter).
  • Pricing is subject to change. If the renewal price changes, we will notify you in advance so you always know what’s going on.
  • You can cancel your subscription or change your auto-renewal settings any time after purchase from your My Account page. To learn more, click here.
  • You may request a refund by contacting Customer Support within 30 days of initial purchase or within 60 days of automatic renewal (for 1 year terms or longer).
  • Your subscription is subject to our License Agreement and Privacy Notice. Subscriptions covering "all" devices are limited to supported devices that you own. Product features may be added, changed or removed during the subscription term.  Not all features may be available on all devices.  See System Requirements for additional information.
  • Free Trial Terms: At the end of your trial period you will be charged $39.99 for the first term. After the first term, you will be automatically renewed at the renewal price (currently $124.99/yr). We will charge you 7-days before renewal. You can cancel at any time before you are charged. ​

 **Free Benefits With Auto-Renewal:

  • For many qualifying product subscriptions McAfee offers additional benefits for free when you are enrolled in auto-renewal. You can check your eligibility for these benefits in your My Account page. Not all benefits are offered in all locations or for all product subscriptions.  System Requirements apply.   Turning off auto-renewal terminates your eligibility for these additional benefits. 
  • Virus Protection Pledge (VPP): If we cannot remove a virus from your supported device we’ll refund you the amount you paid for your current term subscription.  The refund does not apply to any damage or loss caused by a virus.  You are responsible for backing up your data to prevent data loss. See terms here: mcafee.com/pledge.
  • Safe Connect VPN:  You will receive free, unlimited access to our VPN wireless on supported devices. Users not on auto-renewal have access to 500 MB/month of bandwidth.

   Additional Terms Specific to Identity Monitoring Service:

  • Eligibility: McAfee® Identity Monitoring Service Essentials is available within active McAfee Total Protection and McAfee LiveSafe subscriptions with identity monitoring for up to 10 unique emails. Phone number monitoring is enabled upon activation of Automatic Renewal. Not all identity monitoring elements are available in all countries. See Product Terms of Service for more information. 
  • Your subscription is subject to our License Agreement and Privacy Notice. Product features may be added, changed or removed during the subscription term. Some features may require registration and a valid ID number to activate. See System Requirements for additional information.
  • While McAfee Identity Monitoring Service provides you tools and resources to protect yourself from identity theft, no identity can be completely secure.
  • US Only:
    Fair Credit Reporting Act: You have numerous rights under the FCRA, including the right to dispute inaccurate information in your credit report(s). Consumer reporting agencies are required to investigate and respond to your dispute, but are not obligated to change or remove accurate information that is reported in compliance with applicable law. While this plan can provide you assistance in filing a dispute, the FCRA allows you to file a dispute for free with a consumer reporting agency without the assistance of a third party.
  • Identity theft coverage is not available in New York due to regulatory requirements.


Corporate Headquarters
6220 America Center Drive
San Jose, CA 95002 USA

Products

McAfee® Total Protection
McAfee® Gamer Security
McAfee® Identity Monitoring Service
McAfee® Security Scan Plus
McAfee® WebAdvisor
McAfee® Techmaster Concierge
McAfee® Virus Removal Service

Resources

Antivirus
Free Downloads
Parental Controls
Malware
Firewall
 Blogs
Activate Retail Card
Threat Center
McAfee Enterprise

Support

Consumer Support
FAQs
Renewals
Support Community

About

About McAfee
Careers
Contact Us
Newsroom
Investors
Legal Terms
Your Privacy Choices
System Requirements
Sitemap

Copyright © 2022 McAfee, LLC
Copyright © 2022 McAfee, LLC