Tons of IFrame.B.Gen hits today

Is this a new definition that was pushed? Had about 7 machines this machine email in with it..

[gkurcon]

We have seen about 3 or 4 machines today (out of 130) with this alert. It looks like a false positive to me, but I could be wrong.

[Marcos]

Could you please email some in a password protected archive to samples[at]eset.com?

[lolo2907]

I've been seeing a whole bunch. I've tried contacting ESET with no luck... but we should expect that I guess. Do you think this is an FP? Should we be worried?

[lolo2907]

Also,the logs are catching this from some reputable sites too which is odd. Which is why i am thinking it is an FP.

[lolo2907]

Marcos,
I don't have a sample. Is it ok to post the link to the pages it's catching it on?

[lodore]

Quote:

Originally Posted by lolo2907

Also,the logs are catching this from some reputable sites too which is odd. Which is why i am thinking it is an FP.

thats normal...
lots of legit websites are being hacked and a iframe is inserted to redirect the user to another page to download a malicous file.

[lolo2907]

Are there more hacks today then there were yesterday? I'm seeing this come from sites like 411.com and whitepages.com

[lodore]

Quote:

Originally Posted by lolo2907

Are there more hacks today then there were yesterday? I'm seeing this come from sites like 411.com and whitepages.com

They could be FP's thou.
Nothing strange going on when i visit those sites here with the security i use.

[gkurcon]

I've submitted two examples from one of the machines to the address requested above. Hope that helps.

[lolo2907]

the links are pretty deep into 411.com and whitepages.com i didn't want to post the direct link to avoid cross contamination.

Quote:

Originally Posted by lolo2907

the links are pretty deep into 411.com and whitepages.com i didn't want to post the direct link to avoid cross contamination.

Post them inactive
hxxp://bla-bla-bla.com/example....

[lolo2907]

here are the inactive links... change hxxp: to http:

hxxp://afe.specificclick.net/?l=1841631040&sz=728x90&wr=j&t=j&u=http:
//www.411.com/search/ReversePhone?full_phone=617-924-6574&localtime=survey&r=&rnd=768428

hxxp://afe.specificclick.net/?l=1841631040&sz=728x90&wr=j&t=j&u=http://www.whitepages.com/search/FindPerson?firstname_begins_with=1&firstname=r&name=domico&where=Langhorne%2C+PA&r=&rnd=777640

[lolo2907]

one more quick update. I was speaking with one of my users who I know does not surf any crazy sites and he told me got the error when he was browsing to boston.com or possibly the wallstreetjournal.com or wsj.com These sites are pretty reputable. So I am starting to think this is a FP.

It is actually http://afe.specificclick.net/ that is blocked . It (its IP) has been placed on the list with sites with potentially dangerous content . I can't comment if this site deserves or deserves not to be blocked .

[kaisernc]

This does look like it could be a FP. I am noticing it from several of our machines here. It appears to be triggered by ads on legit websites. all the links I am seeing look like they have something to do with afe.specificclick.net. The links always reference the site where they came from. One example i have seen from whitepages.com

hxxp://afe.specificclick.net/?l=1841631040&sz=728x90&wr=j&t=j&u=http://www.whitepages.com/maps&r=http://www.google.com/search?client=firefox-a&rls=org.mozilla%3Aen-US%3Aofficial&channel=s&hl=en&q=area+code+map&btnG=Google+Search&rnd=209674&uid=4iQ6pZ14p4tX1C

Craig

Quote:

Originally Posted by kaisernc

all the links I am seeing look like they have something to do with afe.specificclick.net. The links always reference the site where they came from.

This site is what some might call a trackig cookies site - like doubleclick.

[Marcos]

The site will be removed from the blacklist, but it'll be added again if another piece of malware turns out to be exploiting it.

[siljaline]

From my HOSTS File

Quote:

# [SpecificMEDIA Inc][ValueAd Inc]
127.0.0.1 www.gogotools.com #[Adware.GoGoTools]
127.0.0.1 www.searchgogo.com
127.0.0.1 specificpop.com #[SunBelt.Specificpop.com]
127.0.0.1 www.specificpop.com #[SpySweeper.Spy.Cookie]
127.0.0.1 adopt.specificclick.net #[Ad-Aware.Tracking.Cookie]
127.0.0.1 afe.specificclick.net
127.0.0.1 bp.specificclick.net
127.0.0.1 dg.specificclick.net
127.0.0.1 images.specificclick.net
127.0.0.1 specificmedia.com
127.0.0.1 as.specificmedia.com #[usbansrv60]
127.0.0.1 cxtad.specificmedia.com
127.0.0.1 leads.specificmedia.com #[directtrack.com]
127.0.0.1 www.specificmedia.com #[eTrust.GoGoTools]
127.0.0.1 ac2.valuead.com
127.0.0.1 ads.valuead.com #[SpySweeper.Spy.Cookie]
127.0.0.1 adsignal.valuead.com
127.0.0.1 axxessads.valuead.com
127.0.0.1 banners.valuead.com #[ADW_VALUEAD.M][eTrust.Tracking.Cookie]
127.0.0.1 moads.valuead.com
127.0.0.1 oin.valuead.com #[outerinfo.com]
127.0.0.1 pmads.valuead.com #[Ad-Aware.Tracking.Cookie]
127.0.0.1 redux.valuead.com
127.0.0.1 reduxads.valuead.com #[Ewido.TrackingCookie.Valuead]
127.0.0.1 videodetectivenetwork.valuead.com
127.0.0.1 vdn.valuead.com

Hope this helps.

Quote:

Originally Posted by siljaline

From my HOSTS File

adopt.specificclick.net #[Ad-Aware.Tracking.Cookie] <=

Mine all come from


afe.specificclick[1].htm

The number goes from [1] to [2] on some machines..

Also

CA0PAfun.htm
Ca6DTXGA.html

It is unable to clean them...

[ittech]

I've been getting phone calls about this all morning, on vrbo.com and other news sites, definitely related to specificclick.net ads, but is a false positive as I'm not seeing any exploit code on those actual links, just a netflix ad in one case

[lolo2907]

Are people still receiving these warnings? I keep getting them fairly often.

Quote:

Originally Posted by lolo2907

Are people still receiving these warnings? I keep getting them fairly often.

Last one was 26 minutes ago..

08-10-2009 14:20:03 "2:20" PM CST...

[sparx]

Still getting alerts. Any idea on a timeline for the next update?