Iframe threats

[Whissi]

Hello,

today I visited a website one a computer, with a different anti-virus program (no NOD32). I got an AV alert, the av products claims, that the site I wanted to visit, is containing a iframe threat.

So I started to investigate that.

I tried several scanners and the results a very different: Most of the scanners doesn't detect these kind of threats, but Sophos or G-DATA for example, are detecting threats.

I would like to post a link to the virustotal.com results, where I uploaded such a saved html file, but I don't know if this is allowed.

And here's my question:
Why doesn't detect NOD32 these kind of threats (well, when you don't know the threat, you can't really discuss the problem, but it isn't allowed to post such an url...)? Am I not protected?

I don't want to discuss the value of other av products, but I think Sophos is one of the big players - they detect it. Would you say Sophos makes more noise than necessary (false detection)?

[Marcos]

The fact that a website contains the <IFRAME> tag does not make it malicious. This is a normal html tag that is used on many websites and flagging it automatically as malicious would produce thousands and thousands of false positives.

[Whissi]

Quote:

Originally Posted by Marcos

The fact that a website contains the <IFRAME> tag does not make it malicious. This is a normal html tag that is used on many websites and flagging it automatically as malicious would produce thousands and thousands of false positives.

No, you didn't understand me - it's not the iframe html tag.

They just call it iframe-threats, here are some names:

• HTML/Dldr.Iframe.G
• HTML:Iframe-gen
• HTML/Framer
• HTML:Iframe-gen
• HTML.Downloader.Iframe.G
• Mal/Iframe-F
• Script.Dldr.Iframe.G

From Sophos I know, that these kind of threats are related to some SQL injections attacks... here are some blog entries from Sophos:
http://www.sophos.com/security/blog/2007/08/547.html
http://www.sophos.com/security/blog/2007/10/611.html
http://www.sophos.com/security/blog/2007/09/580.html
http://www.sophos.com/security/blog/2008/04/1329.html

[Kayracc]

Most usually these are SQL injections, they inject obfuscated javascript code which when deobfuscated is a IFRAME link to malicious websites(usually 4-5) which contain exploits to various vulnerbilities, realplayer, shockwave etc etc

The reason some av's detect the iframe exploit is because they've seen the obfuscated javascript before and have added detection for that very script

so if the script says xxxyyyxxx they simply add that for detection, however if the website inside the code changes, it then becomes xxyyyxxxx, and they will no longer alert until they get a copy of the new code to add(they may also have some heuristics involved but)

Any AV even the worst ones should detect the exploits on the pages afterwords, so detecting the iframe isn't the most important thing in the world, but it helps

-Brian

[Marcos]

It seems that detection depends on either an exact url in the iframe tag or the domain followed by an arbitrary page. It's nothing magic that couldn't be easily circumvented. The point is to detect malware that might be potentially downloaded from sites referred to by the iframe tag.