Q: My Avast just blocked HTML:Iframe-inf virus/worm, now what?

I was browsing with firefox just now, and I came upon a site (through google) I haven’t visited in a long time, but which I tought was to be trusted.

So I clicked on the link through google, and the Avast scanner popped up stating the warning you see in the attachment (or the screenshot hosted on flickr it you fancy it: http://farm3.static.flickr.com/2567/3746850517_03986e49f8_o.jpg)

So my questions are:

  • Avast said not to panic, by pressing 'Abort connection ’ (Connectie afbreken) it would stop the virus before downloading the file to my computer (which i offcourse did). Can i be confident that the file did not find its way on to my computer?

  • Second, it is a virus/worm? The file name (bestandsnaam) it blocked came from h**tp://netter.nl/mint/?js
    Is mint not some software to analyse visitor statistics etc? Could this be a false alert?

First time i came upon this. Should i alert the webmaster?

avast! blocked the malicious script and ur PC is safe^^

Cheers!^^

-AnimeLover^^

Yes. Avast just showed it’s remarkable efficiency at stopping viruses from getting on your computer.

This could be true… Unfortunately I am not a very advanced user so I would suggest waiting for some posts from the forum Gurus.

I would simply inform him that your Avast Antivirus (build 4.8… with the latest updates) gave you a warning message. I would also attach the photo you have in your post.

Cheers

Well the actual .jpg image you gave the link to isn’t infected, see image, so it is something behind the scenes hxxp://netters.nl/mint/?js in the alert image.

So the log-on script has been hacked as there is a hidden iFrame tag at the bottom of the page that tries to go to a Russian domain, see image3, so it looks like the netters.nl\mint site has been hacked.

http://www.mywot.com/scorecard/q3o.ru and http://www.google.com/interstitial?url=http://www.q3o.ru/, so this is also what avast is blocking.

The image i attached is a screenshot i took with prtsc which i then saved in paint :slight_smile:
Could that have become infected then??

I’ve sent the webmaster an email about it. It’s up to him now to fix the problem.
I’m just sooo glad Avast got a hold of it, i’m so paranoid when it comes to spyware etc …

DavidR is not referring to the pic you have attached but to the one you have mentioned in your first post…

As nmb said my reference was to the link being clean.

The site with the problem is netters.nl/mint as the log-on script appears to have been hacked. So I hope it is that site to whom you sent the email to the webmaster.

Welcome to the forums.

Ah thx

Yep, I’ve sent an email to the netters.nl webmaster.

Thanks for the welcome and the explanation!

No problem, glad I could help.

Ha Rodnev,

Diagnostische pagina voor q3o.ru

Wat is de huidige status van q3o.ru?
Deze site is als verdacht aangemerkt - het bezoeken van deze site kan uw computer beschadigen.

Een deel van deze site is in de afgelopen 90 dagen 1 keer aangemerkt wegens verdachte activiteiten.

Wat is er gebeurd toen Google deze site bezocht?
Van de 3 pagina’s die we in de afgelopen 90 dagen op de site hebben getest, hebben 0 pagina('s) zonder de toestemming van de gebruiker schadelijke software gedownload en geïnstalleerd. De vorige keer dat Google deze site bezocht, was op 2009-07-22. De vorige keer dat verdachte inhoud op deze site werd aangetroffen, was op 2009-07-22.
Malicious software includes 1 exploit(s).

This site was hosted on 15 network(s) including AS16276 (OVH), AS35470 (XL), AS20773 (HOSTEUROPE).

Heeft deze site gefungeerd als een tussenschakel en geleid tot verdere verspreiding van malware?
Het lijkt erop dat q3o.ru in de afgelopen 90 dagen heeft gefunctioneerd als tussenschakel voor de infectie van 1 site(s), waaronder ssail.ru/.

Heeft deze site malware gehost?
Ja, deze site heeft in de afgelopen 90 dagen schadelijke software gehost. Deze software heeft 4 domein(en) geïnfecteerd, waaronder eyewk.com/, ssail.ru/, qjunk.com/.

Hoe is dit gebeurd?
In bepaalde gevallen kunnen derden schadelijke codering toevoegen aan echte sites, waarna wij deze waarschuwing weergeven.

De oorspronkelijke link schijnt schoon volgens de Wepawet scanner:
http://wepawet.iseclab.org/view.php?hash=6fa5526260cf478087189bf287c70c40&t=1248370103&type=js

Bad Stuff Detektor vindt:

No zeroiframes detected!
Check took 2.50 seconds

(Level: 0) Url checked:
hxtp://netter.nl/mint/?js
Zeroiframes detected on this site: 0
No ad codes identified

(Level: 1) Url checked: (frame source)
hxtp://netter.nl/?pagesection=body
Zeroiframes detected on this site: 0
No ad codes identified

(Level: 1) Url checked: (script source)
/unique/track.js?referrer=hxtp://netter.nl/mint/?js
Blank page / could not connect (Dit zou de kwaadaardige doorverwijzer hebben kunnen zijn)
No ad codes identified

De pagina netter.nl etc. geeft geen alerts meer van avast, dus is waarschijnlijk schoongemaakt,

groetjes,

polonus

(Level: 0) Url checked: http://netter.nl/mint/?js Zeroiframes detected on this site: 0 No ad codes identified

Well they clearly missed the one in the second image I posted in Reply #3 above ;D

So the flaw is looking for 0x0 iframes (zeroiframes) this one has an iframe 191x116, but has the attribute, style=“visibility: hidden” So we can’t take that analysis on face value if it is only looking for 0x0 but other width and hight values when the iframe is also hidden.

Hi DavidR,

You referring to this:


^script type="text/javascript"^
........			if(window.top != window) { document.write('<img src="/frame......../track.gif?referrer=about%3Ablank" style="height : 0; width : 0; border-width : 0; display: none" alt="" /^'); }
			^/script><script type="text/javascript" src="/unique/track.js?referrer=about%3Ablank"^^/script^ 

And then there is this"


^frameset rows="100%,*" frameborder="no" border="0" framespacing="0"^.....
	^frame src="hXttp://netter.nl/?pagesection=body" noresize="noresize" /^
	^noframes^
		^p^^a href="hXtp://netter.nl/?pagesection=body">Click Here</a> to continue</p>
	^/noframes^	 

Your redirect I cannot trace there anymore…

polonus

No neither of those as it was an iframe tag and not a script tag or frameset.

I downloaded the file in the OPs image, hXXp://netters.nl/mint/?js (the one I referred to and quoted from your results) and that has the iframe tag at the bottom. In fact I have just downloaded and saved it again and the iframe is still there, but now pointing to a different domain hxxp://xb4.in and same style hidden.

Hi DavidR,

Redirect to: No zeroiframes detected!
Check took 0.33 seconds

(Level: 0) Url checked:
hXtp://xb4.in
Zeroiframes detected on this site: 0
No ad codes identified

(Level: 1) Url checked: (script source)
http://
Blank page / could not connect
No ad codes identified

(Level: 1) Url checked: (script source)
http://
Blank page / could not connect
No ad codes identified

polonus

Yes, that is my whole point.

Based on the wording, "No zeroiframes detected! " they appear only to be looking for iframes with 0x0 width and height size, when these have what would appear to be a regular sizing, yet they go to the trouble of hiding the iframe. So why do they bother giving it a size, possibly to avoid detection for those tools looking 0x0 iframes.

Hi DavidR,

I think our handling of these detections will also attrackt malcreator eyes, and of course they also get somewhat the wiser for what we have put here before them and the information can be abused as well, as it can be helpful for people to be more alerted to these cybercrime activities that go on on a large scale,

polonus

Yes, they too will adapt to evade detection, what was a good idea to have 0x0 iframe size soon got identified as an aid to detection and now they have seen that that trick is no longer evading detection.

So those doing the detection have to get smarter too and look for the hidden attribute in the iframe also. If they, the miscreants see that that is being used as an aid to detection what are they to do then as removing the hidden attribute would bring it back into the light out of the darkness.

So it will be an on-going battle so we also have to be aware that the tools we use might be being evaded too.

How are these people able to get the piece of spyware-code onto someone else website?
Do they just hack it?

Also, and this will probably sound paranoid/noobish, can i be sure this spyware didn’t infect my computer? Even though Avast gave the warning?

Yes they hack sites to insert the code.

It is usually as a result of vulnerabilities in old versions of content management software, PHP, SQL, WordPress, etc.

The web shield scans content in its localhost proxy before it gets to your browser cache, when it alerts it only gives the abort connection option, that drops the infected item so it doesn’t get to your system. If it did the standard shield would also be likely to alert. So you should be OK, if you wish you can run an avast scan of your system to confirm that.