Jump to content

iframe virus - bogus warning?


Recommended Posts

Hi

 

One of the websites I manage links to this page:

 

hxxp://www.360pix.co.uk/tours/ros scoproperties/grangelanetradepark/

 

 

If you open that page in Firefox, you get no warning. if you open it in IE10 the page is blocked with a "JS/Iframe.IB trojan" warning. If you close the IE10 browser, re-open it, and visit the same page, it plays fine with no warning.

 

EAVBE 5.0.2126.0, defs 8362.

 

is it a rogue message showing in IE10? Or is there a reason why Firefox isn't detecting it?

 

Many thanks

 

 

Jim

EDIT Oops, wrong forum. Should be in the EAVBE / Endpoint forum.

Edited by Marcos
Link to comment
Share on other sites

  • Administrators

Look at the first line of the html code, it most likely contains a malicious script with an iframe.

Link to comment
Share on other sites

  • Administrators

Thanks Marcos. But why would ESET not trigger any error when the page is viewed from Firefox, only from IE?

Jim

 

Script malware is often injected only if certain conditions are met, e.g. if a specific browser is used.

Link to comment
Share on other sites

  • 2 weeks later...

you can generally test these types of things yourself if you have access to a linux box and the command line "wget":

first a standard "wget":

 

[testuser@testbox test]# wget hxxp://www.360pix.co.uk/tours/ros scoproperties/grangelanetradepark/
--2013-06-04 05:29:33--  hxxp://www.360pix.co.uk/tours/ros
Resolving www.360pix.co.uk... 109.228.26.6
Connecting to www.360pix.co.uk|109.228.26.6|:80... connected.
HTTP request sent, awaiting response... 404 Not Found
2013-06-04 05:29:34 ERROR 404: Not Found.

--2013-06-04 05:29:34--  hxxp://scoproperties/grangelanetradepark/
Resolving scoproperties... failed: Name or service not known.
wget: unable to resolve host address `scoproperties'
[testuser@testbox test]#

 

Note how even a standard wget command is immediately redirected to a domain that is invalid - that's a really big sign that something is amiss.

Next, if the file was downloaded, I would view the source - and if the source revealed nothing (which it did not here) - then I would run a couple of wget commands with different user-agent strings - if the file doesn't redirect and fail (they rarely do) - examining the resulting HTML file that download often yields a javascript or iframe embedded into the site code.

Link to comment
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...