Need advise on Trojan.Script.Iframer

Hi y'all

Need your expert advise on this. Recently have received an email link to hxxp://store.worldnewsdot.xxx and received a flagged by Kaspersky AV showing HEUR:Trojan.Script.Iframer for ~Snip~

When I run the website thru another laptop of mine that was installed wit NOD32 v4, nothing was flagged from the website. So, I was wondering is it dangerous or is it just my imagination?

Thanks in advance.

 

Thanks ronjor. Can you point me to that direction?

 

Hi,

Thats 100% correct detection...that site is a fake "obama" website designed to deliver trojans to your computer.... f-secure has a writeup of it here:

http://www.f-secure.com/weblog/archives/00001585.html

Panda too:

http://pandalabs.pandasecurity.com/...Impersonates-Barack-Obama_2700_s-Website.aspx

Extract from the source code:

The script you mentioned is an obfuscated script that downloads additional malware from another server.


Moral of the story: Be very careful of which links you click from emails or comments on the internet.


P.s. Your laptop that didn't give any warnings and was protected by another AV than KIS is probably infected and helping to host the same malware, please contact their tech support to get advice on cleaning any traces.

 

Avira takes exception to that site also,flagging up multiple warnings including HTML/Shellcode.Gen.

 

Thank you all.

 

Attemps to save a "barrackblog.exe" on my computer with Norton disabled. It is just me, however isn't that random? I don't think the avg. viewer will a) believe their viewpoints expressed and b) care to save a file on their computer.

 

lolz...seems the IP keep changing often each time we key-in the URL

 

http://www.threatexpert.com/report.aspx?md5=e32bd572f87625db9df7359af571c06e


(see IPs)

Also VT results were high enough for this not to be a threat.

 

It's a fast flux malware campaign hence the different IP's each time.

 

Could you, please, tell me what settings do you have in NOD32 v4 to protect browsers? Do you have it in active mode?

Regards

 

The actual script itself isn't dangerous it's what it's trying to execute/download that is, which IS flagged by nod32.

 

My NOD32 v4 settings is set as default.

 

Excuse me?

Nonsense... the script is the downloader.... and it is dangerous

Let me break it down a bit:


1. The script is obfuscated to avoid detection (which seemed to work since only 5 vendors currently correctly detect it) ,

2. The script opens a hidden iframe to a dangerous website.

3. The dangerous website is a malware delivery mechanism much like neosploit or any of the other "kits" for sale on the internet.

4. The script is essentially a "downloader" as it initiates connection to the site where the bad code is downloaded from (its not the video.exe file contrary to what you may think, that is seperately downloaded and nothing to do with the script).

5. The malware on site where the script is calling can change at any moment so if you do not detect the script you do not guarantee the safety of the user.... Thats like saying this trapdoor doesn't have a cover, but its ok because there is a crate full of foam underneath it....but what if the crate is moved

6. ESET will add detection for the script if you send it to them.... just like any other antivirus vendor because the script is classed as malware. We can defend av's to a certain point when they don't detect something (pretty pointless as any av will have a failure to detect some malware at some point) but making statements to the effect that "it isnt dangerous thats why there is no detection" is plain wrong.


This is what it looks like:

(some creative editing to stop people from screwing up their pc's if they decide to try and execute it)

Deobfuscated version:

Again, edited to stop the brave going where they shouldn't

And connection to that server downloads all sorts of nasties depending on referer, location, OS and browser.

 

Mate you proved my point yourself. A lethal script isn't lethal when the downloaded contents are detected and removed.

 

It's not clear to me what you mean by "downloads" -- by remote code execution, or by user selecting to download.

From the Panda write up you link, it would seem to be the latter -- the user must select to download:

​

----
rich

 

Yes, the actual video.exe must be downloaded and executed manually (e.g. by clicking "read more)....but there is an additional script on that particular page which silently executes and connects to another website from where code is downloaded silently without user input (the original question by the OP was asking about a detection on that script)

 

I don't know how you came to that conclusion when I specifically pointed out in my reply that not detecting the downloader is like an open trap door with a 40 foot drop, and each person who is unlucky enough to drop through that trapdoor has to count on there being something soft at the bottom..... which isn't guaranteed, as the downloaded malware is constantly changing and could be swapped for something that isn't well detected pretty easily...not to mention server side polymorphism that could easily mutate the file etc

If you detect the script initially, then there is no chance that the user will come in contact with the file it is trying to download in the first place.... hence AV companies will detect the script as malicious once they get a copy of it or if they have implemented script checking heuristics (e.g. KAV HEUR: Trojan.script.iframer or Avira Shellcode.gen). This removes the "chance" factor that the malware which it is trying to download is not detected and stops the drive by download before it has a chance to happen.

 

No I agree with you that it should be detected, but I'm trying to say the user is perfectly safe even if the script was ran, because the content is blocked from being downloaded and/or removed right after the complete file downloads.

 

Thanks for that clarification. You are the only source I've seen that provides this information about the silent download.

The reason I ask is that I watch for exploits to see what is new so I can pass information on to a few people I help from time to time. It seems that there is nothing new here.

First, the social engineering trick is similar to the fake CNN sites that delivered up malware. The user is enticed to view a video about some scandalous situation. The two methods of attack are

• The user starts to watch the video and a prompt pops up to install an update of some kind
  
• The user is prompted immediately to run an executable, as in this case. This is reminiscent of the Storm malware.

Fake Obama Web Site Reportedly Builds Botnet
http://www.informationweek.com/news...tml?articleID=212901473&subSection=Cybercrime

Actually, all of the links on the fake obama site point to the same executable:

​

The obvious preventative measure here is a firm policy about installing unknown/untrusted/unverified executables.

Second, the remote code execution part. It used to be that you could count on all such exploits to be directed to to IE users, but the recent PDF and SWF exploits show that you can't jump to conclusions, since these two can infect no matter which browser is used.

So, you have to test, because you get no help from the security vendor analyses I've seen so far.

Using Opera, the malicious .js file caches but nothing happens.

Using IE6, at least two different exploits are served up:

​

Not being able to analyze the obfuscated code, I'm not sure which of the many IE specific exploits these are. But it doesn't really matter - they all do the same thing: attempt to install a trojan. Conclusion: not a threat to users of Opera or Firefox. And easily blocked, anyway.

So there is nothing new here. Today it is obamamania. Tomorrow, something else.

http://www.eweek.com/c/a/Security/Malicious-Sites-With-Fake-Obama-News-Trying-to-Build-Botnet/

By now, careful users are alert to these things, and we can only hope that more people will become aware and proceed accordingly!

----
rich

 

Hi,

That code keeps getting inserted into the index pages on my website. It's been going on for over a month. After the code is inserted in my pages I upload a clean copy over it. Happens a few times per day! When a visitor goes to my website, there is a warning about: HEUR:Trojan.Script.Iframer

How does this code get into my server pages? Any clues on what to look for or how to shut it down?

I've already found some .pl files and deleted them but the hacking issue continues.

Any help deeply appreciated!!!!

Thanks!

 

Sounds like you have out-of-date software on your server that is being exploited.

 

If you are running a site that has user input fields it's quite possibly a SQL injection attack. You may want to run through all your code and look for any foreign java script as well. The fix is to update your code to the latest version.