R3.o.lencr.org is seen as malware: This is a closed topic from a few years ago that I have some new insight on

Im not sure if I'm posting this in the right section as i just registered an account to make this post in particular. I wanted to respond to the original topic but it has long since closed.

Anyway, what I wanted to ad was that I was working on some malware investigations and came across this domain within virus total. I see that one commenter suggest malware-remove.com should be black listed and untrustworthy. I can't say if that is true or not, but I know for 100% certain that virustotal.com is 100% legitimate and would never suggest something that may be a false-positive. if they question the legitimacy of a ruling on malware usually, they will not list it as malware or at the very least they will make a very noticeable note on their results page that it has been reported to be a false-positive, but still be vigilant in dealing with said domain. while I'm not sure if the domain is malicious; but a part of the domain within their site's architecture is very malicious. this is the exact URL that is triggering the malware discovering apps and/or sites if anyone wants to further this investigation:

**** ABSOLUTELY UNDER NO CURCUMSTANCE ARE YOU TO CONNECT TO THAT URL UNLESS YOU ARE DOING IT SAFELY ON SOME TYPE OF VIRTUAL MACHINE WITH A VPN ON! IF YOU DECIDE TO TRY THE LINK OUT, I DECLARE NOW THAT I MYSELF NOR LET'S ENCRYPT THE WEBSITE SHOULD OR CAN, BE HELD RESPOSIBLE FOR ANY DAMAGES THAT ARISE FROM DISREGARDING THIS VERY SERIOUS WARNING! IF YOU CLICK THE LINK OR FOLLOW IT IN ANY WAY YOU DO AT YOUR OWN RISK! ****

http://r3.o.lencr.org/MFMwUTBPME0wSzAJBgUrDgMCGgUABBRI2smg+yvTLU/w3mjS9We3NfmzxAQUFC6zF7dYVsuuUAlA5h+vnYsUwsYCEgPX6nDMVnw20ugZU3zO3BCsKQ==

Anyway, that link there is very bad. It first came across my observation while at the website bonusreward.life. Not to mention another entirely separate researcher ran across the exact same malicious URL via a Vtext Spam Link on Verizon @vetext.com.

2 Likes

Welcome to the Let's Encrypt Community! :slightly_smiling_face:

6 Likes

Yeah, because an OCSP response of "unauthorized" is sooooo scary :wink:

I'm pretty sure this thread is either spam for the link at the bottom of the post or it's just a hoax.

5 Likes

none of this is spam or a hoax. im an ethical hacker and that link is 100% malicious and i can prove it

@griffin ’s response is correct. Please see our documentation, linked in that response. We /do/ occasionally receive a false positive listing from one of the many vendors from which VirusTotal reports results.

8 Likes