Need advise on Trojan.Script.Iframer

Discussion in 'malware problems & news' started by cryon, Jan 20, 2009.

Thread Status:
Not open for further replies.
  1. cryon

    cryon Registered Member

    Joined:
    Apr 7, 2006
    Posts:
    45
    Hi y'all

    Need your expert advise on this. Recently have received an email link to hxxp://store.worldnewsdot.xxx and received a flagged by Kaspersky AV showing HEUR:Trojan.Script.Iframer for ~Snip~

    When I run the website thru another laptop of mine that was installed wit NOD32 v4, nothing was flagged from the website. So, I was wondering is it dangerous or is it just my imagination? o_O

    Thanks in advance.
     
    Last edited by a moderator: Jan 21, 2009
  2. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,770
    Location:
    Texas
    Submit the file to Kaspersky to be analyzed. They can tell you better than anyone.
     
  3. cryon

    cryon Registered Member

    Joined:
    Apr 7, 2006
    Posts:
    45
    Thanks ronjor. Can you point me to that direction?
     
  4. Baz_kasp

    Baz_kasp Registered Member

    Joined:
    May 1, 2008
    Posts:
    593
    Location:
    London
    Hi,

    Thats 100% correct detection...that site is a fake "obama" website designed to deliver trojans to your computer.... f-secure has a writeup of it here:

    http://www.f-secure.com/weblog/archives/00001585.html

    Panda too:

    http://pandalabs.pandasecurity.com/...Impersonates-Barack-Obama_2700_s-Website.aspx

    Extract from the source code:

    The script you mentioned is an obfuscated script that downloads additional malware from another server.


    Moral of the story: Be very careful of which links you click from emails or comments on the internet.


    P.s. Your laptop that didn't give any warnings and was protected by another AV than KIS is probably infected and helping to host the same malware, please contact their tech support to get advice on cleaning any traces.
     
    Last edited: Jan 20, 2009
  5. andyman35

    andyman35 Registered Member

    Joined:
    Nov 2, 2007
    Posts:
    2,336
    Avira takes exception to that site also,flagging up multiple warnings including HTML/Shellcode.Gen.
     
  6. cryon

    cryon Registered Member

    Joined:
    Apr 7, 2006
    Posts:
    45
    Thank you all.
     
  7. TechOutsider

    TechOutsider Registered Member

    Joined:
    Sep 26, 2008
    Posts:
    549
    Attemps to save a "barrackblog.exe" on my computer with Norton disabled. It is just me, however isn't that random? I don't think the avg. viewer will a) believe their viewpoints expressed and b) care to save a file on their computer.
     
  8. cryon

    cryon Registered Member

    Joined:
    Apr 7, 2006
    Posts:
    45
    lolz...seems the IP keep changing often each time we key-in the URL :D
     
  9. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,853
  10. Baz_kasp

    Baz_kasp Registered Member

    Joined:
    May 1, 2008
    Posts:
    593
    Location:
    London
    It's a fast flux malware campaign hence the different IP's each time.
     
  11. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Could you, please, tell me what settings do you have in NOD32 v4 to protect browsers? Do you have it in active mode?

    Regards
     
  12. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,853
    The actual script itself isn't dangerous it's what it's trying to execute/download that is, which IS flagged by nod32.
     
  13. cryon

    cryon Registered Member

    Joined:
    Apr 7, 2006
    Posts:
    45
    My NOD32 v4 settings is set as default.
     
  14. Baz_kasp

    Baz_kasp Registered Member

    Joined:
    May 1, 2008
    Posts:
    593
    Location:
    London

    Excuse me?

    Nonsense... the script is the downloader.... and it is dangerous

    Let me break it down a bit:


    1. The script is obfuscated to avoid detection (which seemed to work since only 5 vendors currently correctly detect it) ,

    2. The script opens a hidden iframe to a dangerous website.

    3. The dangerous website is a malware delivery mechanism much like neosploit or any of the other "kits" for sale on the internet.

    4. The script is essentially a "downloader" as it initiates connection to the site where the bad code is downloaded from (its not the video.exe file contrary to what you may think, that is seperately downloaded and nothing to do with the script).

    5. The malware on site where the script is calling can change at any moment so if you do not detect the script you do not guarantee the safety of the user.... Thats like saying this trapdoor doesn't have a cover, but its ok because there is a crate full of foam underneath it....but what if the crate is moved ;)

    6. ESET will add detection for the script if you send it to them.... just like any other antivirus vendor because the script is classed as malware. We can defend av's to a certain point when they don't detect something (pretty pointless as any av will have a failure to detect some malware at some point) but making statements to the effect that "it isnt dangerous thats why there is no detection" is plain wrong.


    This is what it looks like:

    (some creative editing to stop people from screwing up their pc's if they decide to try and execute it)

    Deobfuscated version:

    Again, edited to stop the brave going where they shouldn't :p

    And connection to that server downloads all sorts of nasties depending on referer, location, OS and browser.
     
    Last edited: Jan 21, 2009
  15. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,853
    Mate you proved my point yourself. A lethal script isn't lethal when the downloaded contents are detected and removed.
     
  16. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    It's not clear to me what you mean by "downloads" -- by remote code execution, or by user selecting to download.

    From the Panda write up you link, it would seem to be the latter -- the user must select to download:

    obama.jpg


    ----
    rich
     
  17. Baz_kasp

    Baz_kasp Registered Member

    Joined:
    May 1, 2008
    Posts:
    593
    Location:
    London

    Yes, the actual video.exe must be downloaded and executed manually (e.g. by clicking "read more)....but there is an additional script on that particular page which silently executes and connects to another website from where code is downloaded silently without user input (the original question by the OP was asking about a detection on that script)
     
    Last edited: Jan 21, 2009
  18. Baz_kasp

    Baz_kasp Registered Member

    Joined:
    May 1, 2008
    Posts:
    593
    Location:
    London
    I don't know how you came to that conclusion when I specifically pointed out in my reply that not detecting the downloader is like an open trap door with a 40 foot drop, and each person who is unlucky enough to drop through that trapdoor has to count on there being something soft at the bottom..... which isn't guaranteed, as the downloaded malware is constantly changing and could be swapped for something that isn't well detected pretty easily...not to mention server side polymorphism that could easily mutate the file etc

    If you detect the script initially, then there is no chance that the user will come in contact with the file it is trying to download in the first place.... hence AV companies will detect the script as malicious once they get a copy of it or if they have implemented script checking heuristics (e.g. KAV HEUR: Trojan.script.iframer or Avira Shellcode.gen). This removes the "chance" factor that the malware which it is trying to download is not detected and stops the drive by download before it has a chance to happen.
     
  19. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,853
    No I agree with you that it should be detected, but I'm trying to say the user is perfectly safe even if the script was ran, because the content is blocked from being downloaded and/or removed right after the complete file downloads.
     
  20. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Thanks for that clarification. You are the only source I've seen that provides this information about the silent download.

    The reason I ask is that I watch for exploits to see what is new so I can pass information on to a few people I help from time to time. It seems that there is nothing new here.

    First, the social engineering trick is similar to the fake CNN sites that delivered up malware. The user is enticed to view a video about some scandalous situation. The two methods of attack are

    • The user starts to watch the video and a prompt pops up to install an update of some kind
    • The user is prompted immediately to run an executable, as in this case. This is reminiscent of the Storm malware.
    Fake Obama Web Site Reportedly Builds Botnet
    http://www.informationweek.com/news...tml?articleID=212901473&subSection=Cybercrime
    Actually, all of the links on the fake obama site point to the same executable:

    obama-store.gif

    The obvious preventative measure here is a firm policy about installing unknown/untrusted/unverified executables.

    Second, the remote code execution part. It used to be that you could count on all such exploits to be directed to to IE users, but the recent PDF and SWF exploits show that you can't jump to conclusions, since these two can infect no matter which browser is used.

    So, you have to test, because you get no help from the security vendor analyses I've seen so far.

    Using Opera, the malicious .js file caches but nothing happens.

    Using IE6, at least two different exploits are served up:

    obama-exe.gif

    obama-installer.gif

    Not being able to analyze the obfuscated code, I'm not sure which of the many IE specific exploits these are. But it doesn't really matter - they all do the same thing: attempt to install a trojan. Conclusion: not a threat to users of Opera or Firefox. And easily blocked, anyway.

    So there is nothing new here. Today it is obamamania. Tomorrow, something else.

    http://www.eweek.com/c/a/Security/Malicious-Sites-With-Fake-Obama-News-Trying-to-Build-Botnet/
    By now, careful users are alert to these things, and we can only hope that more people will become aware and proceed accordingly!

    ----
    rich
     
  21. bigtime

    bigtime Registered Member

    Joined:
    Jan 27, 2009
    Posts:
    1
    Hi,

    That code keeps getting inserted into the index pages on my website. It's been going on for over a month. After the code is inserted in my pages I upload a clean copy over it. Happens a few times per day! When a visitor goes to my website, there is a warning about: HEUR:Trojan.Script.Iframer

    How does this code get into my server pages? Any clues on what to look for or how to shut it down?

    I've already found some .pl files and deleted them but the hacking issue continues.

    Any help deeply appreciated!!!!

    Thanks!
     
  22. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,853
    Sounds like you have out-of-date software on your server that is being exploited.
     
  23. Nitewolf

    Nitewolf Registered Member

    Joined:
    Jan 22, 2009
    Posts:
    14
    If you are running a site that has user input fields it's quite possibly a SQL injection attack. You may want to run through all your code and look for any foreign java script as well. The fix is to update your code to the latest version.
     
    Last edited: Jan 29, 2009
Thread Status:
Not open for further replies.