What should be detected as JS:iframe-[XX] is surprisingly, not detected–by any antivirus.
Based on the exploit given here: http://forum.avast.com/index.php?topic=96822.0
In which, is dated one month ago, I would assume that the AV industry would be able to block this kind of threat.

Using a random malicious link from today (attached #1), I inject that link into my modified source.
http://urlvoid.com/scan/lastofengland.org/
http://urlquery.net/report.php?id=59332

The exploit syntax should’ve been enough to alert. I’m surprised that none did. See:
https://www.virustotal.com/file/a5e827c1d75ae62d3211923b28f3fe8ce47351ef666063e8bd017e76fa09182e/analysis/1337891506/

Attachment #2 contains the tested fully compressed file and attachment #3 contains the part that avast! should’ve detected.

??? :-\

I guess i have another sample similar to this or not…but it also misses avast detection as given here:
https://www.virustotal.com/file/f05fb0c81f0eefe8916c951b3aa76e3abd492e2ee3bbbdff7a2615d1244a78e3/analysis/

Hi !Donovan,

Thank you very much for your observations. Maybe the knowledge of this attack has sunken away in the memory of av analysts, so they missed it.

Very interesting link to read: http://www.hars.de/2010/12/Maria-14186255-malware-spam.html link article author = Florian Hars;

The appendChild iframe attack method you described had already been known to us from around the year 2008. From the moment a user clicks only the iFrame URL is changed, and JS malware contol is being maintained through this invisable full-screen iFrame. The URL bar that does not change with each click, being the only drawback when this attack method is performed…

polonus

Thinking that my algorithm was too tough, I remove it completely. I also saw that I forgot .style before .opacity. Thinking that this would be enough. I reupload the debugging sample (my version that’s fully beautified and clean) to VirusTotal. The results: https://www.virustotal.com/file/a20de6e982d7b13663c0e539952ee59bc61729dab7831c79064b279ea16feb46/analysis/1337948822/ !?

Well, then I thought, maybe one of the heuristic scanners would detect it if it was packed, so I pack this one using the default setting in Dean Edward’s packer and upload it again. Same Results: https://www.virustotal.com/file/789857026049e89acb360add3da5f0b49b6678da68e377715c25e5820a01fb73/analysis/1337949157/

Edit: PM for sample.

Hi !Donovan,

What you have done is the best proof of the fact that av detection is mainly reactive. If they do not know what to look for, it will not be detected.

polonus

it seems you are correct Donovan

Norman lab agree with you

HTML/Iframe.LX will detect both the samples.

**REMOVED

Please don’t publish links to malware on file share sites as this is a publicly available forum and you have no control over who might download it or what they might do with it. Samples should be sent directly to avast and not shared.

So I would advise its removal from the posts and from the file share site.

Hi DavidR,

Agree with you here, that is why I sometimes even break scan result links now. In a public forum be aware that the malversant is reading over your shoulder all the time.

Still there should be room for some criticism here, because as this type of malware is a recycled 2008 type, coming right out of the widely available txt-books (also to be googled and read online) it is a shame really that it is not being detected by a wide variety of av solutions. Apparently priority went to file viruses and trojans and scripting threats held a lower priority for quite some time. Avast is certainly catching up in this respect, other av’s certainly lack behind. And some even admit this,

polonus

Lets hope that sooner or later suspicious patterns found in coding on the web will be detected by antiviruses.

After all, why use the “if” + “rame” method when you can use “iframe” and save 5 characters for your scripts, webmasters?

Hi !Donovan,

I think script anomaly detection and IDS incorporation should come to av detection asap. We cannot only rely on Opera and Google Safebrowsing blocking inside FX and Chrome, because hordes of Blue E users will be unprotected. I have to admit that both Bitdefender TrafficLight and WOT blocks a lot of sites where this is.
Only last year Google blocked 134 million ads of which a portion were malvertizing ads. I know malware protection is mainly reactive,

polonus

@ !Donovan
Thanks for removing the file share link.

that took some time, but finally from Avira

The file 'JS-Iframe-Exploit--Default-DE-Compressed.js' has been determined to be 'MALWARE'. Our analysts named the threat JS/IFrame.agi. The term "JS/" denotes a Java scriptvirus. Detection will be added to our virus definition file (VDF) with one of the next updates.

The file 'JS-Iframe-Exploit--FULLY_Beautified.js' has been determined to be 'MALWARE'. Our analysts named the threat JS/IFrame.agi. The term "JS/" denotes a Java scriptvirus. Detection will be added to our virus definition file (VDF) with one of the next updates.

Hi folks,

A very good analytical job from !Donovan, thanks to him for delving this up and also thanks for the reporting to the av community,
Pondus, so they are aware an have added this to detection,

polonus

+1 !Donovan

Good catch.

Working virus laboratory frustrating, very slowly add the samples.

+1

Agree,for some reason they are being slow from past 5 to 6 days in adding samples…normally they are quick…but its getting frustrating i have 65 missed samples for avast to add detections for

any ideas avast! team??