Malcode in webpage or FP?

Discussion in 'malware problems & news' started by Chato, Dec 5, 2007.

Thread Status:
Not open for further replies.
  1. Chato

    Chato Registered Member

    Joined:
    Oct 21, 2007
    Posts:
    35
    Location:
    Enschede, The Netherlands
    By visiting the webpage hxxp://xxx.guitarandtabs.com/tab/428963.htm the AV (F-Secure) detected an exploit/Trojan in the (Opera-)browsercache (C:\Program Files\OPERA\PROFILE\CACHE4\OPR018B2.HTM)

    According to F-Secure AV it is a Trojan.Clicker.HTML.IFrame.a.
    I don't know if it has to do with the malicious code, but the
    webpage shows me a warning:
    Code:
    Warning: include() [function.include]: URL file-access is disabled in the server configuration in /home/tabarch/public_html/header.php on line 24
    Warning: include(http://www.tab-archive.com/burst.php) [function.include]: failed to open stream: no suitable wrapper could be found in /home/tabarch/public_html/header.php on line 24
    Warning: include() [function.include]: Failed opening 'http://www.tab-archive.com/burst.php' for inclusion (include_path='.:/usr/lib/php:/usr/local/lib/php') in /home/tabarch/public_html/header.php on line 24
    But, by visiting the same webpage with Firefox, the AV didn't detect anything. (with the security-add-ons DISabled)
    Opening the page with IE, F-Secure found the same mailicious code in the C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.ie5\C16BWL6F\H[1]HTM

    The exploit/trojan wasn't found by the IDS (EMSI Mamutu), AVG AntiSpy and F-Prot.

    Could it be a False Positive? Or is this site hacked? or...?
     
    Last edited: Dec 5, 2007
  2. dNor

    dNor Registered Member

    Joined:
    Oct 3, 2007
    Posts:
    212
    Location:
    Irvine, CA, USA
    Seems to be an iFrame exploit dropping a trojan and it's being cached. Most likely through a banner.

    Could be a FP, submit it to those AV vendors to verify FP or not. Possibly VirusTotal too in the meantime?
     
  3. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    This is the h.htm code:

    Code:
    <iframe src='http://prx.nu/' style='display: none'></iframe>
    <iframe src='http://www.nicksdirectory.com/' style='display: none'></iframe>
    A check of those sites didn't show anything unusual.

    Kaspersky identifies it as Trojan-Clicker.HTML.IFrame.a

    and defines a trojan-clicker:

    I did not observe any redirect, or download attempt of an executable, or the installation of any files other than cookies and other normal web page stuff.

    ----
    rich
     
    Last edited: Dec 5, 2007
  4. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    Probably some iFrame related to rotating ads. Some ads may be malicious and that's why you don't see a consistent behaviour.
     
  5. Chato

    Chato Registered Member

    Joined:
    Oct 21, 2007
    Posts:
    35
    Location:
    Enschede, The Netherlands
    Results Virustotal-scan:

    ~Virus Total results removed per site policy....Bubba~
     
    Last edited by a moderator: Dec 5, 2007
  6. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    Send it to Kaspersky's viruslab. They respond pretty quickly.
     
  7. Chato

    Chato Registered Member

    Joined:
    Oct 21, 2007
    Posts:
    35
    Location:
    Enschede, The Netherlands
    By uploading the file to virustotal (what I just did) it is automatically uploaded to the vendors (AFAIK).
     
  8. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    Yes, but that needs some days before the sample is distributed and the vendors care to take a look at it.
    Sending a mail is many times faster, plus you get a response from a virus analyst (in the case of Kaspersky and some other vendors) :)
     
  9. Chato

    Chato Registered Member

    Joined:
    Oct 21, 2007
    Posts:
    35
    Location:
    Enschede, The Netherlands
    @Bubba, I didn't know that it's not allowed to post the virustotal-results.
    My apologies.

    OK, I will send the sample to Kaspersky, and some others.
    In the meantime I examined the sample in a VME. And after all I think it is a FP.
    It creates only one single file in the Documents & Settings-folder:
    \Username\Local Settings\Application Data\Microsoft\Internet Explorer\MSIMGSIZ.DAT

    No registry changes, or other changes in processes or network-activity.

    The file MSIMGSIZ.DAT is clean.
    I scanned it with several AV's, and also found nothing strange
    in HEX, strings, GUID's etc.

    I took a quick look with a searchengine, but I found nothing relevant about the MSIMGSIZ.DAT. Maybe somebody here knows more about this file?
    As I said, after all, it seems a FP to me.
    I'll submit the sample to Kaspersky for further analysis.

    Thanks to all for your replies.

    Regards,

    Chato.
     
  10. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    You're welcome :)
     
  11. Chato

    Chato Registered Member

    Joined:
    Oct 21, 2007
    Posts:
    35
    Location:
    Enschede, The Netherlands
    I'm happy to say that I just received a respons from the Kaspersky Lab:
     
Thread Status:
Not open for further replies.