Incorrect Virus Definition

We are getting reports from end-users of your product that state that our advertising iframe is a html:iframe virus. We are not malware and do not serve advertisments for such. Below is the warning being reported.

http ://social.bidsystem.com/displayAd.aspx?pid=346463&plid=1596
malware name: html:Iframe-inf

Please white list our domain and/or remove it from your definitions. If you require any information at all, please contact us.

Thanks,

Dwayne Lafleur
General Manager - Adknowledge Social Advertising

Please don’t post multiple topics in different forums for the same issue, as this just duplicates effort for those trying to help. This is the correct forum for virus related issues and not the other two you posted.

I can’t visit the link you gave as there is obviously another link involved where it calls that ad, trying to enter that URL directly results in this error, see image.

The URL in the above post is not the full url. Here is one:
http://social.bidsystem.com/displayAd.aspx?pid=346463&plid=15965&adSize=728x90&bgColor=%23ffffff&textColor=%23000000&linkColor=%230033ff&channel=&appid=57308&fb_sig_in_iframe=1&f b_sig_locale=en_US&fb_sig_in_new_facebook=1&fb_sig _time=1247678437.1028&fb_sig

malware name: html:Iframe-inf

We are able to recreate the issue in google chrome and firefox, but not IE. This issue is costing our business roughly $10,000 per day right now as a major publisher of ours has removed our ads until you resolve this issue. Please proceed with white listing our domain asap.

  1. Google Chrome version 2.0.172.33

  2. No add-ons/toolbars…don’t think there are any for my browser yet!

  3. I did not get forwarded to another page, because Avast! stopped that from happening… I have attached a screenshot of what I did get, however. Note that at the bottom where there should be an ad it is now blank when this came up; I don’t have a way to block ads, and that is the only time I have seen a blank space instead of an ad.

  4. I use Avast! version 4.8 Home Edition.

  5. 1:51 pm Eastern Daylight Time (US)

Sorry, even with that URL I get nothing (alert wise) but a page of sorts loads, see image.

Now two of the links on that page get redirected free credit reports and WOT (web Of Trust) flags the site as having a poor reputation. That however I don’t believe is what avast is alerting on (or it would have alerted.

I have been unable to find anything that I can look into as I don’t get any alerts.

The iframe alerts are commonly an indication that a site has been hacked and there is either an iframe tage inserted into pages or a script tag containing obfuscated javascript which creates the iframe.

So I’m at a loss as to what else to suggest as an avast user, I have no way to investigate further.

Try this URL: http://iscpadv.com/s/in.cgi?5

It’s for a Tourism Ireland campaign. It seems to be the source of the issue.

Strange that the Tourism Ireland would have a link to iscpadv.com which is a German domain location.

It is that domain that is blocked by the Network Shield as one on its malicious sites list, why its on the list I don’t know, but commonly if a site is infected and multiple alerts are found avast gathers data on these alerts and would ad it to the malicious sites list.

I have tried to report to avast for further analysis on the iscpadv.com domain being on the list.

This is what I get with DrWeb’s av link checker plug-in:
hXtp://iscpadv.com/s/in.cgi?5 redirects to hXtp://web-banners.com/banners/728x90/discoverireland/

Checking: hXtp://web-banners.com/banners/728x90/discoverireland/
Engine version: 5.0.0.12182
Total virus-finding records: 583477
File size: 255 bytes
File MD5: ca5283f776d99c72aea6105f702121b1

polonus

the i frame detector has had 0 mistakes I’ve heard

It has mistakes. Because it’s filled by naive humans (mostly me) 8)

But I’ve blocked iscpadv by a good reason. I’ve tried it right now with our internal tool…
So, the bidsystem guy should provide me with a better explanation what iscpadv is and why should I think it’s not malicious (while it redirects thru series of redirectors to fake av site, as can be seen below).


hXXp://iscpadv.com/s/in.cgi?5
  Reason: external
  Found virus HTML:RedirME-inf [Trj]
  Return code: 302
  Content-type: text/html; charset=UTF-8
  Content-length: 178
  \->hXXp://mirturistov.com/3/
       Reason: redirect
       Flags: script_inl:1
       Return code: 200
       Content-type: text/html; charset=UTF-8
       Content-length: 267
     \->hXXp://commercialali.cn/go.php?id=2024-3&key=487c65abf&p=1
          Reason: refresh
          Return code: 302
          Content-type: text/html
        \->hXXp://antivirus-online-scanv5.com/1/?id=2024-3&query=87db95441&q=%3DTQ01Dz3NMQMMI%3DN
             Reason: redirect
             Flags: script_ext:5, script_inl:4
             Return code: 200
             Content-type: text/html, text/html; charset=UTF-8
             Content-length: 13222

Thanks kubecj, us mere mortals aren’t able to do this kind of in depth analysis.

Outside of the Alwil in-house tool, do you know of any other analysis site that could do the same in depth analysis ?

No, that’s why I wrote this in-house tool despite my laziness ;D

Any possibility that we would be able to use it, say input the suspect URL into an avast.com page for checking suspect URLs and run on-line ?

Such a system is already partially done, but it’s kinda low in our (long) todo list.

That’s good for the long term, after avast 5.0 I guess when some time is available ;D