Hello,
I just visited the Santa Fe Cattle Co site which is a big American steakhouse chain and when I visited I got a threat of the following: HTML:Iframe-ZG [Trj]
13/05/2013 18:30:23 hxxp://www.santafecattleco.com/ [L] HTML:Iframe-ZG [Trj] (0)
I visit them quite often as they update their menu’s quite often and going to America in a couple of months so like to keep up with that they offer. Anyways, this is the first time i’ve had a threat from them. Is this a FP or the real deal, perhaps by their site getting hacked or something?
There is a hidden iframe after the closing html tag (see image), this is generally a standards no, no and under normal circumstances considered suspicious.
Normally this would be to a 3rd party (external) site, but in this case it is to the main site and a counter.php page, this may or may not be hacked/malicious. I don’t know if this is an intentional entry by the webmaster or not though it is suspect.
But the index page when uploaded to virus total has a number of other AVs also alert on it, https://www.virustotal.com/en/file/56148a8dbbc41281341af25d6f7e7205fd3b766c17ebc9ded3f3e083aa1fbb4e/analysis/1368466880/.
The webmaster at these sites at that IP or their hoster should take notice of what is revealed here by link article author Tony Perez
http://blog.sucuri.net/2012/07/website-malware-removal-counter-php.html
About the populatity of these various counter.php malware → http://michajp.blogspot.nl/2013/03/malicious-counterphp.html
also see the malcode dropper there… blog article author mimojapan (a Kaspersky Labs fan)
So that site with the HTML:Iframe-ZG[Trl] malcode could iniatially been infected for redirection to Blackhole exploit
polonus
system
6
Thanks for the information.
I will try and get ahold of Santa Fe on Facebook, if someone else hasn’t already!
Thanks again!
not is false positive is blocked correctly
Thanks Milos