Malcode in webpage or FP?

Discussion in 'malware problems & news' started by Chato, Dec 5, 2007.

Thread Status:
Not open for further replies.
  1. Chato

    Chato Registered Member

    Joined:
    Oct 21, 2007
    Posts:
    35
    Location:
    Enschede, The Netherlands
    By visiting the webpage hxxp://xxx.guitarandtabs.com/tab/428963.htm the AV (F-Secure) detected an exploit/Trojan in the (Opera-)browsercache (C:\Program Files\OPERA\PROFILE\CACHE4\OPR018B2.HTM)

    According to F-Secure AV it is a Trojan.Clicker.HTML.IFrame.a.
    I don't know if it has to do with the malicious code, but the
    webpage shows me a warning:
    Code:
    Warning: include() [function.include]: URL file-access is disabled in the server configuration in /home/tabarch/public_html/header.php on line 24
    Warning: include(http://www.tab-archive.com/burst.php) [function.include]: failed to open stream: no suitable wrapper could be found in /home/tabarch/public_html/header.php on line 24
    Warning: include() [function.include]: Failed opening 'http://www.tab-archive.com/burst.php' for inclusion (include_path='.:/usr/lib/php:/usr/local/lib/php') in /home/tabarch/public_html/header.php on line 24
    But, by visiting the same webpage with Firefox, the AV didn't detect anything. (with the security-add-ons DISabled)
    Opening the page with IE, F-Secure found the same mailicious code in the C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.ie5\C16BWL6F\H[1]HTM

    The exploit/trojan wasn't found by the IDS (EMSI Mamutu), AVG AntiSpy and F-Prot.

    Could it be a False Positive? Or is this site hacked? or...?
     
    Last edited: Dec 5, 2007
  2. dNor

    dNor Registered Member

    Joined:
    Oct 3, 2007
    Posts:
    212
    Location:
    Irvine, CA, USA
    Seems to be an iFrame exploit dropping a trojan and it's being cached. Most likely through a banner.

    Could be a FP, submit it to those AV vendors to verify FP or not. Possibly VirusTotal too in the meantime?
     
  3. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,982
    Location:
    California
    This is the h.htm code:

    Code:
    <iframe src='http://prx.nu/' style='display: none'></iframe>
    <iframe src='http://www.nicksdirectory.com/' style='display: none'></iframe>
    A check of those sites didn't show anything unusual.

    Kaspersky identifies it as Trojan-Clicker.HTML.IFrame.a

    and defines a trojan-clicker:

    I did not observe any redirect, or download attempt of an executable, or the installation of any files other than cookies and other normal web page stuff.

    ----
    rich
     
    Last edited: Dec 5, 2007
  4. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    Probably some iFrame related to rotating ads. Some ads may be malicious and that's why you don't see a consistent behaviour.
     
  5. Chato

    Chato Registered Member

    Joined:
    Oct 21, 2007
    Posts:
    35
    Location:
    Enschede, The Netherlands
    Results Virustotal-scan:

    ~Virus Total results removed per site policy....Bubba~
     
    Last edited by a moderator: Dec 5, 2007
  6. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    Send it to Kaspersky's viruslab. They respond pretty quickly.
     
  7. Chato

    Chato Registered Member

    Joined:
    Oct 21, 2007
    Posts:
    35
    Location:
    Enschede, The Netherlands
    By uploading the file to virustotal (what I just did) it is automatically uploaded to the vendors (AFAIK).
     
  8. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    Yes, but that needs some days before the sample is distributed and the vendors care to take a look at it.
    Sending a mail is many times faster, plus you get a response from a virus analyst (in the case of Kaspersky and some other vendors) :)
     
  9. Chato

    Chato Registered Member

    Joined:
    Oct 21, 2007
    Posts:
    35
    Location:
    Enschede, The Netherlands
    @Bubba, I didn't know that it's not allowed to post the virustotal-results.
    My apologies.

    OK, I will send the sample to Kaspersky, and some others.
    In the meantime I examined the sample in a VME. And after all I think it is a FP.
    It creates only one single file in the Documents & Settings-folder:
    \Username\Local Settings\Application Data\Microsoft\Internet Explorer\MSIMGSIZ.DAT

    No registry changes, or other changes in processes or network-activity.

    The file MSIMGSIZ.DAT is clean.
    I scanned it with several AV's, and also found nothing strange
    in HEX, strings, GUID's etc.

    I took a quick look with a searchengine, but I found nothing relevant about the MSIMGSIZ.DAT. Maybe somebody here knows more about this file?
    As I said, after all, it seems a FP to me.
    I'll submit the sample to Kaspersky for further analysis.

    Thanks to all for your replies.

    Regards,

    Chato.
     
  10. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    You're welcome :)
     
  11. Chato

    Chato Registered Member

    Joined:
    Oct 21, 2007
    Posts:
    35
    Location:
    Enschede, The Netherlands
    I'm happy to say that I just received a respons from the Kaspersky Lab:
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.