Malicious iFrame scanned with soswebscan beta IFRAME BADWARE Scanner...

Hi forum friends,

Scanned main URL see below of site known to have HTML/IFrame.acb.1 malware here :
http://soswebscan.jobandproject.com/beta_scan.php
(Free to use)

Results correct: avast is one of few av solutions to detect this as HTML:Iframe-inf, see:
http://www.virustotal.com/file-scan/report.html?id=e7b90ccc59af1b7322274178305f9b977cfb5a4ce91d3e46001537b004f2c8b6-1304332047

Main URL: htxp://www.artcar.com.tr/ is suspicious. We found 1 virus attack url at your website. hxtp://quake2012.ru/in.php?a=QQkFBwQHBAEABQQMEkcJBQcEBwYABQcHDA==
quote = SOSWebScan results

For a write up on this iFrame attack:
https://wam.dasient.com/wam/infection_library/f466b7de0aeae031a6f76ede788899e8/quake2012
Above given link source = Dasient Infection Library Home
Sucuri gives this detection as http://sucuri.net/malware/entry/MW:IFRAME:HD202

polonus

hxtp://quake2012.ru/in.php?a=QQkFBwQHBAEABQQMEkcJBQcEBwYABQcHDA==
and the redirect url is also full of Viagra/cialis/Levitra pill spam, see sucuri screenshot Sucuri gives this detection http://sucuri.net/malware/malware-entry-mwspamseo

This page seems to be
http://www.UnmaskParasites.com/security-report/?page=quake2012.ru
http://www.google.com/safebrowsing/diagnostic?site=quake2012.ru

Hi Pondus,

Thank you for the confirmation and the additional info.
-.-
Now something more in general about malicious iFrames.
With this example I wanted to present the possibilties of soswebscan.
There are two other main scan sources here.

One there is the sucuri scan http://sitecheck.sucuri.net/ ; With this scan we can
also find the Google Safe Browsing results and the Norton Safe Web results.
Users should know that Google Safe Browsing and Norton Safe Web do have loads of sites
that their database isn’t even aware of,
and should be scanned in another way. In that case we do not have results.
Then there is unmasked parasites: http://www.unmaskparasites.com/security-report/?page= domainname for instance

The iFrame contents can also been lightly but effectively obfuscated and that is always a reason to be suspicious.
Just do an additional google query on what you find inside the code. There could be Dasient info on the particular
suspicious URL or domain, exploit or particular iFrame campaign.
There could be additional info via a URLVoid domain or link scan.
-.-
Remember you have to combine the info of various resources.
Another particular iFrame malware scanner is to be found at monkeywrench.de
Give in the particular URL and then open the detailed results. Could be a good basis for further investigation.

Whenever users are security aware, know how to have full script protection inside the browser and work the browser
sandboxed, there are other resources, but users can also ask for a second opinion here.

In a similar way Pondus, spg SCOTT, Asyn and other members here are particularly into this form of malware hunting
and give a lot of assistance and report their findings for better avast detection.

Malcious iFrames should not be a problem for those that have taken specific precautions like script protection inside the GoogleChrome or Fx browser (NotScipts & Better Pop up Blocker in Chrome /NoScript - Request Policy in Fx 4.0).

Scan, scan, scan and report (back) when in doubt.

Two main rules: 1. Never give direct click-through links, always munge like
hxtp or -http or wXw and 2. When presenting particular script, make a screendump, present it as a jpg or gif image.
One could use a particular proggie to remove particular information like PhotoPhiltre or cut and paste the script image with
a tool like Irfan view for instance. Reason is that actual script in part or even munged could be flagged by avast or spill over.
Best policy is just to give a scan link or the screen dump of the scan results.

Good hunt,

polonus