False Positive (HTML:Iframe-inf)

We are seeing this flag being set based on what I suspect is a flagged domain.

I ran an HTML snippet containing an iframe calling playpickle.com through a scan which returned this positive result (HTML:Iframe-inf). However, this is simply a site providing gaming toolbar that has easy removal instructions (hxxp://playpickle.com/deactivate) as well as an ad servering domain which will result in the domain being legitimately loaded within an i-frame.

See sucuri screen shot

sucuri malware info: http://sucuri.net/malware/malware-entry-mwiframehd202

found here

-http://playpickle.com//404javascript.js
-http://playpickle.com/
-http://playpickle.com?aid=
-http://playpickle.com/category/tournament/?aid=organic&sk=u994qi67u63u18k3h7cnf9bv57

urlQuery - Suspicious
http://urlquery.net/report.php?id=16292

Wepawet
http://wepawet.iseclab.org/view.php?hash=46e05e2af9f7db3691758d8e56e49c37&t=1326743823&type=js

First please ‘modify’ your post change the URL from http to hXXp or www to wXw, to break the link and avoid accidental exposure to suspect sites, thanks.

There are 5 iframes after a closing DIV tag in the footer and they are all 1x1 effectively invisible and that may be what is triggering this suspicion of an injected iframe (HTML:Iframe-inf). There is also a script tag with a variable to also create a script element.

I don’t initially get an alert on this URL you gave, but I use firefox with NoScript and RequestPolicy add-ons, so scripts aren’t allowed to run unless I selectively allow sites (allowed that one but not the other 10 cross site scripts.

Another analysis site doesn’t like it either and it is the iframe tags it doesn’t like either, http://sitecheck.sucuri.net/results/http://playpickle.com/deactivate.

Suspicious code is being found here:

-cdn.kmdl101.com/plugins/bos-krusty/scripts/mbox.js?ver=1.0 suspicious
[suspicious:2] (ipaddr:64.215.158.11) (script) -cdn.kmdl101.com/plugins/bos-krusty/scripts/mbox.js?ver=1.0
status: (referer=-playpickle.com/)saved 22543 bytes d36d434c41b7396b8463a9aeb05670518c06a267
info: [decodingLevel=0] found JavaScript
suspicious:
iFrame abused to load trojan,

polonus