« previous next »
Pages: [1]   Go Down

Author Topic: False Positive (HTML:Iframe-inf)  (Read 3964 times)

0 Members and 1 Guest are viewing this topic.

tbd_appn

  • Guest
False Positive (HTML:Iframe-inf)
« on: January 16, 2012, 08:33:10 PM »
We are seeing this flag being set based on what I suspect is a flagged domain.

I ran an HTML snippet containing an iframe calling playpickle.com through a scan which returned this positive result (HTML:Iframe-inf). However, this is simply a site providing gaming toolbar that has easy removal instructions (hxxp://playpickle.com/deactivate) as well as an ad servering domain which will result in the domain being legitimately loaded within an i-frame.

« Last Edit: January 16, 2012, 10:11:35 PM by tbd_appn »
Logged

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37649
  • F-Secure user
Re: False Positive (HTML:Iframe-inf)
« Reply #1 on: January 16, 2012, 08:46:20 PM »
See sucuri screen shot

sucuri malware info: http://sucuri.net/malware/malware-entry-mwiframehd202

found here

-http://playpickle.com//404javascript.js
-http://playpickle.com/
-http://playpickle.com?aid=
-http://playpickle.com/category/tournament/?aid=organic&sk=u994qi67u63u18k3h7cnf9bv57


urlQuery - Suspicious
http://urlquery.net/report.php?id=16292

Wepawet
http://wepawet.iseclab.org/view.php?hash=46e05e2af9f7db3691758d8e56e49c37&t=1326743823&type=js


« Last Edit: January 16, 2012, 08:58:03 PM by Pondus »
Logged

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 89426
  • No support PMs thanks
Re: False Positive (HTML:Iframe-inf)
« Reply #2 on: January 16, 2012, 08:53:22 PM »
First please 'modify' your post change the URL from http to hXXp or www to wXw, to break the link and avoid accidental exposure to suspect sites, thanks.

There are 5 iframes after a closing DIV tag in the footer and they are all 1x1 effectively invisible and that may be what is triggering this suspicion of an injected iframe (HTML:Iframe-inf). There is also a script tag with a variable to also create a script element.

I don't initially get an alert on this URL you gave, but I use firefox with NoScript and RequestPolicy add-ons, so scripts aren't allowed to run unless I selectively allow sites (allowed that one but not the other 10 cross site scripts.

Another analysis site doesn't like it either and it is the iframe tags it doesn't like either, http://sitecheck.sucuri.net/results/http://playpickle.com/deactivate.
Logged
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.6.6121 (build 24.6.9241.848) UI 1.0.809/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Online polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 34000
  • malware fighter
Re: False Positive (HTML:Iframe-inf)
« Reply #3 on: January 16, 2012, 11:26:02 PM »
Suspicious code is being found here:

-cdn.kmdl101.com/plugins/bos-krusty/scripts/mbox.js?ver=1.0 suspicious
[suspicious:2] (ipaddr:64.215.158.11) (script) -cdn.kmdl101.com/plugins/bos-krusty/scripts/mbox.js?ver=1.0
     status: (referer=-playpickle.com/)saved 22543 bytes d36d434c41b7396b8463a9aeb05670518c06a267
     info: [decodingLevel=0] found JavaScript
     suspicious:
iFrame abused to load trojan,

polonus
Logged
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!
Pages: [1]   Go Up
« previous next »