Ongoing IFrame attack proving difficult to kill

Discussion in 'malware problems & news' started by ronjor, Mar 18, 2008.

Thread Status:
Not open for further replies.
  1. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,164
    Location:
    UK / Pakistan
    I keep it enabled. Let the malicious iframe infect me. I am ready to capture any malware all the time.
     
  2. Cerxes

    Cerxes Registered Member

    Joined:
    Sep 6, 2005
    Posts:
    581
    Location:
    Northern Europe
    I´ve iFrames disabled in Opera, problem solved. For my part this doesn´t interfere with any of the sites that I normally visit.

    /C.
     
  3. Hermescomputers

    Hermescomputers Registered Member

    Joined:
    Jan 9, 2006
    Posts:
    1,069
    Location:
    Toronto, Ontario, Canada, eh?
    Like I wrote in some other posts, Iframes are not evil regardless of what some are saying as they do provide a powerful method of content delivery and it is widely used by web masters the world over. However as in everything good, there is always someone to frack things up... Just add humans = Instant trouble!

    A method of discrimination between good and usefull and hostile is preferable... As your Gmail example exposes...
     
  4. ShaneR34

    ShaneR34 Registered Member

    Joined:
    Mar 9, 2008
    Posts:
    107
    Just a quick comment on Opera and Iframes (and other scripts etc).

    You don't need to disable iframes globally. Opera allows you to set these preferences per site.

    Just right click on a page and select "edit site preferences" and go crazy :)

    So, you could have iframes enabled for GMail, but no other site if that's what you wanted...
     
  5. Cerxes

    Cerxes Registered Member

    Joined:
    Sep 6, 2005
    Posts:
    581
    Location:
    Northern Europe
    You´re advocating a blacklist-approach Shane. I prefer the whitelist-approach instead, i.e. disable globally and enable the functions (JS, Java, Flash, iFrames etc) per site.

    /C.
     
  6. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,164
    Location:
    UK / Pakistan
    That is the right way to do it.
     
  7. ShaneR34

    ShaneR34 Registered Member

    Joined:
    Mar 9, 2008
    Posts:
    107
    Sorry. I actually meant it as a white-list approach...just worded it wrong :)
     
  8. x111

    x111 Registered Member

    Joined:
    Mar 18, 2008
    Posts:
    6
  9. kencat

    kencat Registered Member

    Joined:
    Jan 25, 2008
    Posts:
    47
    Location:
    Ontario, Canada
    I know how you feel. I have NoScript on Seamonkey and see the Iframe as well even with Iframes disabled (supposedly).

    Would be nice to know why this Iframe appears when it shouldn't. Makes you wonder if our software is working or whether this is a magic Iframe :blink: :D
     
  10. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    4,020
    Location:
    California
    I find that IE6 will prompt if an iFrame attempts to download an executable.

    The source code for the test in the link is

    Code:
    <iframe src="content.html">
    
    which loads that .html page, displaying the text you see in the iFrame.

    Create a test.html page with

    Code:
    <iframe src="notepad.exe">
    
    Put it in a directory with a copy of Notepad.exe. When I view the page, IE prompts:

    iframe_IE.gif
    _________________________________________________________________

    As a method to download malware as described in the original Article, iFrame is rather weak,
    in that it requires the victim to agree to the prompt to download.

    Not that is isn't successful, of course...
    otherwise, it wouldn't continue to be used:

    Massive IFRAME SEO Poisoning Attack Continuing
    http://ddanchev.blogspot.com/2008/03/massive-iframe-seo-poisoning-attack.html

    More dangerous are true remote code execution methods, one of which I showed in my Post #10 above.
    Without adequate protection, the malware installs silently in the background.


    ----
    rich
     
    Last edited: Apr 2, 2008
  11. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    4,020
    Location:
    California
    Other "weak" methods of infection -- requiring the victim to permit the installation -- are used by the Storm cards exploits:

    Code:
    <a href="with_love.exe">Click to Download</a> 
    
    [​IMG]

    _________________________________________________________________________

    Or this, which attempts to start the download automatically:

    Code:
    <meta http-equiv="Refresh" content="5; URL=with_love.exe"> 
    		        
    Your download will start in 5 seconds.<br>
    
    [​IMG]
    ____________________________________________________________________



    ----
    rich
     
  12. herbalist

    herbalist Guest

    The iframe test on jaybirds site when viewed using Proxomitrons default filters and enabling the "iFrame/iLayer to link" filter. Filter can be modded to use whitelist as mentioned earlier.
    Prox-iframe.gif
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.