Interesting read on iFrame exploits

Discussion in 'malware problems & news' started by innerpeace, Mar 8, 2008.

Thread Status:
Not open for further replies.
  1. innerpeace

    innerpeace Registered Member

    Joined:
    Jan 15, 2007
    Posts:
    2,095
    Location:
    Mountaineer Country
  2. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    Nice article with a bit of technical info. It also shows you how to spot IFRAMES trying to pull content from malicious servers. If you're using NoScript + Firebug and see an IFRAME with tons of garbage inside it (lots of characters, random numbers, etc), run away from that site.
    You can also block them forever with NoScript.
     
  3. innerpeace

    innerpeace Registered Member

    Joined:
    Jan 15, 2007
    Posts:
    2,095
    Location:
    Mountaineer Country
    Thanks. You've also reminded me to take some time and get more familiar with NoScript. What effect would blocking IFRAME have on normal browsing. The article mentions that it could be used for ads. Should I just give it a try for a while? I understand that my trusted sites won't be blocked.
     
  4. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    I think so. In my experience, blocking IFRAMES never resulted in breaking some site's features. It seems that IFRAMES are mainly used to pull content from 3rd-party sites.
    Remember that NoScript is your first layer of security. If it's used properly:
    - Malicious IFRAMES won't pull malicious content.
    - Malicious scripts won't trigger vulnerable functions.
    - Malicious websites won't load/execute plug-ins which may have known (in the case of a outdated version) or unknown (in the case of a 0-day) vulnerabilities.
    - You'll get the most advanced XSS protection (mostly theoretical at this time I would say)
     
  5. innerpeace

    innerpeace Registered Member

    Joined:
    Jan 15, 2007
    Posts:
    2,095
    Location:
    Mountaineer Country
    Thanks, I'll give it a try. That makes all five boxes ticked now :). I also have to keep reminding myself that most of the time, the malicious content is looking for a hole in unpatched software. If it's a new nasty and finds a hole, then Sandboxie should contain it. I'm really starting to get a grip on my layers ;). Thanks Lucas.
     
  6. steve161

    steve161 Registered Member

    Joined:
    Nov 22, 2006
    Posts:
    681
    Location:
    New York
    Have had NoScript for a long time and never noticed the IFrame box (DUH!).
    Thanks for the info and, so far, have not noticed any negatives while browsing. The question I have; is an IFrame that is blocked by NoScript the same thing as the frames you would see listed when you open up the blockable items list in Adblock plus?
     
  7. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    There is a bit of overlap between them, but ABP will block ad-related material while NS will block all content.
    Correct. Holes in unpatched software, software misconfiguration (example: set IE to install all ActiveX), malicious downloads (cracks, software of dubious origins, untrusted download sites, "free screensavers", IM add-ons, etc) and social engineering ("launch this file", "install this codec", "you're infected, click this link to clean up", "see my picture", "naked girls, click here") are the main vectors of infections. And this malicious content rarely appear on "mainstream" sites (unless they get hacked)
    0-day exploits (i.e. the bad guys discover a vulnerability which is unknown to the software vendor or a vulnerability w/PoC is acknowledged by a vendor before the releasing of a patch) are rare.
    That's why I always like to link to this article
    Correct.
    Very good. The concept of layers refers to how many doors a sample of malware must open in order to infect a machine and survive. You can have a good number of strong doors (common sense, NoScript, patched software, LUA, data backups, imaging, etc) without even using security software.
    You can see this concept of "doors" in threads like this "My AV says that I have TrojanDownloader.xx in the TIF folder. Am I infected?" You may be infected, but there are high chances that you're clean because that malware might not have opened the necessary doors (poorly coded malware, exploiting a patched vulnerability, DEP, the AV nailed it, etc)
     
  8. innerpeace

    innerpeace Registered Member

    Joined:
    Jan 15, 2007
    Posts:
    2,095
    Location:
    Mountaineer Country
    Thanks! I need to take the time and read that article. My main internet activities are browsing and streaming radio with winamp. I'm covered well in that area so my main danger comes from downloads but I take the usual precautions.

    Your link was a very good read and as usual, you post great, easy to understand information. Thanks for your help and your posts :). They should be required reading :thumb:

    innerpeace
     
  9. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    Thanks :) I put a little work on them, because I like to show all the information available in a concise manner. It's frustrating (at least for me) to get the information in tiny pieces distributed everywhere.
    LOL, I don't think that but it's nice to see that my "work" (fighting with English words and grammar :D) is appreciated.
     
  10. innerpeace

    innerpeace Registered Member

    Joined:
    Jan 15, 2007
    Posts:
    2,095
    Location:
    Mountaineer Country
    Your welcome. It's easy to see the effort you put in your posts. I think you help more people than you could imagine.

    Well I think so and I do appreciate your "work". Also, don't worry about your English, it is perfect.

    Cheers,
    innerpeace
     
  11. noway

    noway Registered Member

    Joined:
    Apr 24, 2005
    Posts:
    351
    Blocking I-Frames can break a few sites. I use Proxomitron to block them globally, while permitting only the ones on a certain Proxomitron list. So far there aren't many on the list. One for example is kijiji.ca. If you block I-Frames here, then change the city, you lose the catagory you were in.
     
Loading...
Thread Status:
Not open for further replies.