Since about 10 days avast blocks my acces to the website of a club of which I am a member. According to the program this website is infected with the HTML: Iframe-inf virus.
When I informed the website manager of this infection, I was told that it is a false positive warning from Avast, which should be corrected in a new update. I have sent an e-mail to avast about this in the usual way for mentioning false-positives (i.e. via the warning message on my screen). Nothing happens, however, and I still can’t acces the website via the computer which is protected by avast. For emergency situations I have another computer which is protected by a different anti-virus program, and have no difficulty inaccessing the website in that way. It seems that avast is indeed blocking the website unnecessarily. Can avast do anything about it, or do I have to install another program on my first computer as well??
Herman 38
HTML:Iframe-inf are most frequently valid detections… can you post the exact address, which triggers the alert?
The exact address is:
hxxp://www.haarlemmermeerschegolfclub.nl
The club has over 1300 members who access the website regularly, so if there should be a serious infection wouldn’t it have been picked up by other virus scanners as well? It seems that only the avast users among the members have this problem.
not a false positive… there’s a malicious iframe at the end of file…
Ha die Herman38,
Het gaat om hxxp://thedeadpit.com/ die onderaan in een verborgen iframe staat. Firefox geeft ook idd Gerapporteerde aanvalsite! Als men Firefox met NoScript gebruikt blokkeert avast niets meer, of kan de webmaster/security official van de hoster genoemd verborgen iframe verwijderen, en zijn inlog en overige wachtwoorden veranderen. Het ligt dus niet aan avast maar aan de verborgen code op deze website. Om dan maar gelijk te zeggen dat een niet detecterende av software de oplossing is, is wel een beetje heel kort door de bocht,
polonus
Translation for non-Dutch forum-members. There is a hiddwen iframe on the site to the link mentioned above, Firefox with NoScript does not alert this with avast. Best is to cleanse the website of this if it was not meant to be there, change log passwords etc. So it is not avast that falsely detects it, to blame the av detection is a bit premature, to say the least,
p
Maxx and Polonus,
Many thanks for your quick and to-the-point replies. I shall inform the webmaster accordingly. It was perhaps a bit rash to suggest that another anti-virus program would be the solution, but as I haven’t noticed any terrible things happening to my other computer, and haven’t heard from other people who accessed the website with computers protected by other protection software that things have happened to their computers either, it seemed like a persistent false-positive to me.
If there is anything else which I can tell the webmaster about what he should do to eliminate the infection I should be glad to hear from you again.
Herman 38
Seems not…
Maybe the site was hacked…
You could point him at this topic and tell him to look for iframe tags that shouldn’t be on the web page/s they are usually added to the end of the page html code and often outside the closing html tag.
Hi Herman38,
We hope the webmaster of the site will soon cleanse the site in the way DavidR described, he could also change his log in passwords there as well to prevent another iFrame be set. Furthermore I wish you and the other fans may soon visit your favorite website without any hick-up, and we hope we could have distributed towards that goal. Stay safe and secure on the Internet,
polonus (malware-fighter)
Many thanks to you all who have helped me. I have now sent this whole conversation to the webmaster of the site, and asked him to act according to your suggestions.
Many thanks for noticing this infection and finding out what was happening.
It appears indeed that the website has been hacked and an extra line was added to the index.html
The extra line has now been removed and the passwords will be changed.
Thanks again for your help,
Richard
Use an extra secure password…
I seem to have stumbled upon another one: www.salonstyler.com … what I find strange is that Avast allready took action when I had just performed a search in Google (so before I could even go to that site)… just try to find “salonstyler” with Google…
Is there a way to be sure it is NOT a false positive?
I saved the main site as “content.txt” to my desktop and Avast did nothing. However when I ask to scan this file (content.txt) using the right mousebutton, an alert is given…
Any thoughts?
Hi paulv,
This is the Exploit Prevention Labs Link Scanner report:
There was 1 threat found.
Stop DANGEROUS: LinkScanner Online has found
[Sploit25 obfuscation]
Detail: Exploit: Sploit25 obfuscation
Sploit25 is an Autumn,2008 Russian origin exploit building kit that is advertised for $2,500 a copy. It includes a javascript obfuscator as well as implementations of MDAC, SnapShotViewer, a couple of PDF exploits and a Firefox embed exploit that is no longer current.
Risk Category: Exploit
Description: XPL’s Intelligence Network has detected an exploit. An exploit is a piece of malware code that takes advantage of a vulnerability in a software application, usually the operating system or a web browser to infect a computer. Exploits usually target a computer by means of a drive-by download – the user has no idea that a download has even taken place. XPL recommends not visiting this web site regardless if your computer has been patched for the vulnerability.
Scanned:
Wednesday, February 11, 2009
Our Advice:
This page contains at least one exploit. You should not click on this link without appropriate anti-exploit protection on your PC. So avast did save you there, do not go there,
polonus
Well I don’t get any alert on a google search, so your problem might be your browser(?) or some sort of pre-fetch function that loads pages in the background to speed page loading if you click on a link.
I don’t believe this is a false positive.
There is a hidden iFrame tag pointing to a malicious site, the name of the site is trying to look like it belongs to google. See image1 I have broken the single line down to make it easier to view.
http://www.mywot.com/en/scorecard/google-analistyc.net
Also trying to access this site directly results in another alert, se image2.
So it looks like that site has been hacked.
Hi DavidR,
A way these types of obfuscation iFrame hacks translate can be seen from this example here: http://www.who-is-who-in-gpt.com/forum/index.php?s=0ec078f741146b1e33268cad18e977b1&showtopic=9610&pid=118092&st=0&#
Devious, isn’t it? (part of the code there was removed there for security purposes, but is to get the general idea as how these exploits feel and are being performed, and this example was an obfuscated iFrame hack… exploit for IE: " na XP Home hlásí infekci Exploit Sploit25 obfuscation usídlený v /iexplorer.exe/ "
And DavidR, you were the only one that reacted on me posting on this issue in the general forum, not everyone is aware of this being a gigantic problem that is spreading like wildfire…
polonus
Fortunately avast is well up on this obfuscation.
Though in this case a plain old hidden iframe with no obfuscation but still picked up by avast.
wow, thanks for the quick reply. I tried again using Opera and Avast only jumped into action when I wanted to visit the site, not when I used Google… So it turns out there is indeed a “prefetch” setting in Firefox I was unaware about… I switched it off and no more alert when googling around…
I must say I’m very impressed with Avast! (always used norton because it came with the laptop I got from my employer, but this is my own personal win2K pc and I didn’t want to spend too much money, and I read a good review about Avast in a computer-magazine…)
thanks again!
You’re welcome.
There is no default pre-fetch in firefox (I use it as my default browser) you have to enable that and I guess you didn’t as you are unaware about it.