HTML:Iframe-ZG [Trj]

Hello,

I just visited the Santa Fe Cattle Co site which is a big American steakhouse chain and when I visited I got a threat of the following: HTML:Iframe-ZG [Trj]

13/05/2013 18:30:23 hxxp://www.santafecattleco.com/ [L] HTML:Iframe-ZG [Trj] (0)

I visit them quite often as they update their menu’s quite often and going to America in a couple of months so like to keep up with that they offer. Anyways, this is the first time i’ve had a threat from them. Is this a FP or the real deal, perhaps by their site getting hacked or something?

There is a hidden iframe after the closing html tag (see image), this is generally a standards no, no and under normal circumstances considered suspicious.

Normally this would be to a 3rd party (external) site, but in this case it is to the main site and a counter.php page, this may or may not be hacked/malicious. I don’t know if this is an intentional entry by the webmaster or not though it is suspect.

But the index page when uploaded to virus total has a number of other AVs also alert on it, https://www.virustotal.com/en/file/56148a8dbbc41281341af25d6f7e7205fd3b766c17ebc9ded3f3e083aa1fbb4e/analysis/1368466880/.

also seen by Sucuri. http://sitecheck.sucuri.net/results/www.santafecattleco.com

Malware entry: MW:IFRAME:ENC1560. http://labs.sucuri.net/db/malware/malware-entry-mwiframeenc1560

Yes, there are 6 suspicious iFrames found: http://evuln.com/tools/malware-scanner/www.santafecattleco.com/
But no malicious redirects were being found. Google Safebrowsing does not blacklist at the moment,

See flags here: https://www.virustotal.com/id/url/4795b183e6ddc01d40c92b0fa66994ed24741241a6fbb4ec4b2b30db663ea042/analysis/1368479279/
unp32351602.tmp is detected here: https://www.virustotal.com/id/file/56148a8dbbc41281341af25d6f7e7205fd3b766c17ebc9ded3f3e083aa1fbb4e/analysis/1368466880/
avast detects as HTML:Iframe-ZG [Trj]
No alerts here: http://urlquery.net/report.php?id=2447449 and here: http://chrome.quttera.com/chrome_detailed_report/www.santafecattleco.com
But malware on other domains sharing that ip, IP is not being blacklisted at the moment: http://www.ipvoid.com/scan/184.168.152.37/
domains on that IP are blacklisted however: http://www.urlvoid.com/ip/184.168.152.37
And so we closed the scancircle we started here: http://www.urlvoid.com/scan/santafecattleco.com/
with potentially active threats: http://www.avgthreatlabs.com/sitereports/domain/santafecattleco.com/

polonus

The webmaster at these sites at that IP or their hoster should take notice of what is revealed here by link article author Tony Perez
http://blog.sucuri.net/2012/07/website-malware-removal-counter-php.html
About the populatity of these various counter.php malware → http://michajp.blogspot.nl/2013/03/malicious-counterphp.html
also see the malcode dropper there… blog article author mimojapan (a Kaspersky Labs fan)

So that site with the HTML:Iframe-ZG[Trl] malcode could iniatially been infected for redirection to Blackhole exploit

polonus

Thanks for the information.

I will try and get ahold of Santa Fe on Facebook, if someone else hasn’t already!

Thanks again!

not is false positive is blocked correctly

Thanks Milos