Author Topic: HTML:Iframe-ZG [Trj]  (Read 4314 times)

0 Members and 1 Guest are viewing this topic.

Alpha32

  • Guest
HTML:Iframe-ZG [Trj]
« on: May 13, 2013, 07:39:28 PM »
Hello,

I just visited the Santa Fe Cattle Co site which is a big American steakhouse chain and when I visited I got a threat of the following: HTML:Iframe-ZG [Trj]

Quote
13/05/2013 18:30:23   hxxp://www.santafecattleco.com/ [L] HTML:Iframe-ZG [Trj] (0)

I visit them quite often as they update their menu's quite often and going to America in a couple of months so like to keep up with that they offer. Anyways, this is the first time i've had a threat from them. Is this a FP or the real deal, perhaps by their site getting hacked or something?

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 89665
  • No support PMs thanks
Re: HTML:Iframe-ZG [Trj]
« Reply #1 on: May 13, 2013, 07:49:56 PM »
There is a hidden iframe after the closing html tag (see image), this is generally a standards no, no and under normal circumstances considered suspicious.

Normally this would be to a 3rd party (external) site, but in this case it is to the main site and a counter.php page, this may or may not be hacked/malicious. I don't know if this is an intentional entry by the webmaster or not though it is suspect.

But the index page when uploaded to virus total has a number of other AVs also alert on it, https://www.virustotal.com/en/file/56148a8dbbc41281341af25d6f7e7205fd3b766c17ebc9ded3f3e083aa1fbb4e/analysis/1368466880/.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD - 27" external monitor 1440p 2560x1440 resolution - avast! free  24.9.6130 (build 24.9.9452.762) UI 1.0.818/ Firefox, uBlock Origin Lite, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37698
Re: HTML:Iframe-ZG [Trj]
« Reply #2 on: May 13, 2013, 08:06:58 PM »

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 34051
  • malware fighter
Re: HTML:Iframe-ZG [Trj]
« Reply #3 on: May 13, 2013, 11:22:47 PM »
Yes, there are 6 suspicious iFrames found: http://evuln.com/tools/malware-scanner/www.santafecattleco.com/
But no malicious redirects were being found. Google Safebrowsing does not blacklist at the moment,

See flags here: https://www.virustotal.com/id/url/4795b183e6ddc01d40c92b0fa66994ed24741241a6fbb4ec4b2b30db663ea042/analysis/1368479279/
unp32351602.tmp is detected here: https://www.virustotal.com/id/file/56148a8dbbc41281341af25d6f7e7205fd3b766c17ebc9ded3f3e083aa1fbb4e/analysis/1368466880/
avast detects as HTML:Iframe-ZG [Trj]
No alerts here: http://urlquery.net/report.php?id=2447449 and here: http://chrome.quttera.com/chrome_detailed_report/www.santafecattleco.com
But malware on other domains sharing that ip, IP is not being blacklisted at the moment: http://www.ipvoid.com/scan/184.168.152.37/
domains on that IP are blacklisted however: http://www.urlvoid.com/ip/184.168.152.37
And so we closed the scancircle we started here: http://www.urlvoid.com/scan/santafecattleco.com/
with potentially active threats: http://www.avgthreatlabs.com/sitereports/domain/santafecattleco.com/

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 34051
  • malware fighter
Re: HTML:Iframe-ZG [Trj]
« Reply #4 on: May 13, 2013, 11:37:50 PM »
The webmaster at these sites at that IP or their hoster should take notice of what is revealed here by link article author Tony Perez
http://blog.sucuri.net/2012/07/website-malware-removal-counter-php.html
About the populatity of these various counter.php malware -> http://michajp.blogspot.nl/2013/03/malicious-counterphp.html
also see the malcode dropper there... blog article author mimojapan (a Kaspersky Labs fan)

So that site with the HTML:Iframe-ZG[Trl] malcode could iniatially been infected for redirection to Blackhole exploit

polonus

« Last Edit: May 13, 2013, 11:53:02 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Alpha32

  • Guest
Re: HTML:Iframe-ZG [Trj]
« Reply #5 on: May 14, 2013, 12:31:51 AM »
Thanks for the information.

I will try and get ahold of Santa Fe on Facebook, if someone else hasn't already!


Thanks again!

Offline jefferson sant

  • Starting Graphoman
  • *
  • Posts: 6669
  • volunteer
Re: HTML:Iframe-ZG [Trj]
« Reply #6 on: May 14, 2013, 09:53:03 PM »
Hello,

I just visited the Santa Fe Cattle Co site which is a big American steakhouse chain and when I visited I got a threat of the following: HTML:Iframe-ZG [Trj]

Quote
13/05/2013 18:30:23   hxxp://www.santafecattleco.com/ [L] HTML:Iframe-ZG [Trj] (0)

I visit them quite often as they update their menu's quite often and going to America in a couple of months so like to keep up with that they offer. Anyways, this is the first time i've had a threat from them. Is this a FP or the real deal, perhaps by their site getting hacked or something?


not is false positive is blocked  correctly

Thanks Milos