Tons of IFrame.B.Gen hits today

Discussion in 'ESET NOD32 Antivirus' started by bradtech, Aug 10, 2009.

Thread Status:
Not open for further replies.
  1. bradtech

    bradtech Guest

    Is this a new definition that was pushed? Had about 7 machines this machine email in with it..
     
  2. gkurcon

    gkurcon Registered Member

    Joined:
    Aug 10, 2009
    Posts:
    4
    We have seen about 3 or 4 machines today (out of 130) with this alert. It looks like a false positive to me, but I could be wrong.
     
  3. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Could you please email some in a password protected archive to samples[at]eset.com?
     
  4. lolo2907

    lolo2907 Registered Member

    Joined:
    Apr 16, 2007
    Posts:
    13
    I've been seeing a whole bunch. I've tried contacting ESET with no luck... but we should expect that I guess. Do you think this is an FP? Should we be worried?
     
  5. lolo2907

    lolo2907 Registered Member

    Joined:
    Apr 16, 2007
    Posts:
    13
    Also,the logs are catching this from some reputable sites too which is odd. Which is why i am thinking it is an FP.
     
  6. lolo2907

    lolo2907 Registered Member

    Joined:
    Apr 16, 2007
    Posts:
    13
    Marcos,
    I don't have a sample. Is it ok to post the link to the pages it's catching it on?
     
  7. lodore

    lodore Registered Member

    Joined:
    Jun 22, 2006
    Posts:
    9,006
    thats normal...
    lots of legit websites are being hacked and a iframe is inserted to redirect the user to another page to download a malicous file.
     
  8. lolo2907

    lolo2907 Registered Member

    Joined:
    Apr 16, 2007
    Posts:
    13
    Are there more hacks today then there were yesterday? I'm seeing this come from sites like 411.com and whitepages.com
     
  9. lodore

    lodore Registered Member

    Joined:
    Jun 22, 2006
    Posts:
    9,006
    They could be FP's thou.
    Nothing strange going on when i visit those sites here with the security i use.
     
  10. gkurcon

    gkurcon Registered Member

    Joined:
    Aug 10, 2009
    Posts:
    4
    I've submitted two examples from one of the machines to the address requested above. Hope that helps.
     
  11. lolo2907

    lolo2907 Registered Member

    Joined:
    Apr 16, 2007
    Posts:
    13
    the links are pretty deep into 411.com and whitepages.com i didn't want to post the direct link to avoid cross contamination.
     
  12. ASpace

    ASpace Guest


    Post them inactive
    hxxp://bla-bla-bla.com/example....
     
  13. lolo2907

    lolo2907 Registered Member

    Joined:
    Apr 16, 2007
    Posts:
    13
    here are the inactive links... change hxxp: to http:

    hxxp://afe.specificclick.net/?l=1841631040&sz=728x90&wr=j&t=j&u=http:
    //www.411.com/search/ReversePhone?full_phone=617-924-6574&localtime=survey&r=&rnd=768428

    hxxp://afe.specificclick.net/?l=1841631040&sz=728x90&wr=j&t=j&u=http://www.whitepages.com/search/FindPerson?firstname_begins_with=1&firstname=r&name=domico&where=Langhorne%2C+PA&r=&rnd=777640
     
  14. lolo2907

    lolo2907 Registered Member

    Joined:
    Apr 16, 2007
    Posts:
    13
    one more quick update. I was speaking with one of my users who I know does not surf any crazy sites and he told me got the error when he was browsing to boston.com or possibly the wallstreetjournal.com or wsj.com These sites are pretty reputable. So I am starting to think this is a FP.
     
  15. ASpace

    ASpace Guest

    It is actually http://afe.specificclick.net/ that is blocked . It (its IP) has been placed on the list with sites with potentially dangerous content . I can't comment if this site deserves or deserves not to be blocked .
     

    Attached Files:

  16. kaisernc

    kaisernc Registered Member

    Joined:
    Feb 6, 2007
    Posts:
    4
    This does look like it could be a FP. I am noticing it from several of our machines here. It appears to be triggered by ads on legit websites. all the links I am seeing look like they have something to do with afe.specificclick.net. The links always reference the site where they came from. One example i have seen from whitepages.com

    hxxp://afe.specificclick.net/?l=1841631040&sz=728x90&wr=j&t=j&u=http://www.whitepages.com/maps&r=http://www.google.com/search?client=firefox-a&rls=org.mozilla%3Aen-US%3Aofficial&channel=s&hl=en&q=area+code+map&btnG=Google+Search&rnd=209674&uid=4iQ6pZ14p4tX1C

    Craig
     
  17. ASpace

    ASpace Guest

    This site is what some might call a trackig cookies site - like doubleclick.
     
  18. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    The site will be removed from the blacklist, but it'll be added again if another piece of malware turns out to be exploiting it.
     
  19. siljaline

    siljaline Former Poster

    Joined:
    Jun 29, 2003
    Posts:
    6,619
    From my HOSTS File
    Hope this helps.
     
  20. ASpace

    ASpace Guest


    adopt.specificclick.net #[Ad-Aware.Tracking.Cookie] <=

    :rolleyes:
     
  21. bradtech

    bradtech Guest

    Mine all come from


    afe.specificclick[1].htm

    The number goes from [1] to [2] on some machines..

    Also

    CA0PAfun.htm
    Ca6DTXGA.html

    It is unable to clean them...
     
  22. ittech

    ittech Registered Member

    Joined:
    Dec 5, 2007
    Posts:
    30
    I've been getting phone calls about this all morning, on vrbo.com and other news sites, definitely related to specificclick.net ads, but is a false positive as I'm not seeing any exploit code on those actual links, just a netflix ad in one case
     
  23. lolo2907

    lolo2907 Registered Member

    Joined:
    Apr 16, 2007
    Posts:
    13
    Are people still receiving these warnings? I keep getting them fairly often.
     
  24. bradtech

    bradtech Guest

    Last one was 26 minutes ago..

    08-10-2009 14:20:03 "2:20" PM CST...
     
  25. sparx

    sparx Registered Member

    Joined:
    Jan 10, 2007
    Posts:
    60
    Still getting alerts. Any idea on a timeline for the next update?
     
Thread Status:
Not open for further replies.