Sucuri and nvidia.com

[polonus]

Hi Ijkoy,

A malcreant has inserted a small or hidden iFrame inside that legitimate website, read here: http://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Mal~Iframe-V/detailed-analysis.aspx
The infection was worked through either WordPress: http://www.ehow.com/info_12184030_html-iframeinf.html or another plug-in like  Flash, Java en Adobe Reader and will abuse exploits when found by the automated botnet - virus found within the top 10 threats.

polonus

[Ijkoy]

Hi Ijkoy,

A malcreant has inserted a small or hidden iFrame inside that legitimate website, read here: http://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-spyware/Mal~Iframe-V/detailed-analysis.aspx
The infection was worked through either WordPress: http://www.ehow.com/info_12184030_html-iframeinf.html or another plug-in like  Flash, Java en Adobe Reader and will abuse exploits when found by the automated botnet - virus found within the top 10 threats.

polonus

Thank you polonus, but do you have any explanation why nvidia is not reacting if this is in fact a real threat? I mean this is going on for days now.

I saw in another thread that avast contacts or is contacted by affected site admins. If avast detects a malicious iframe there, why hasnt this problem been solved now. To be clear i havnt visited nvidia.com myself but according to polonus maldb link, avast detects a threat on nvidia.com.

[Michael (alan1998)]

Yes,

nvidia is currently infected with a hidden iFrame. However, they may not know yet. Pol indicated that it looked like they were cleaning it up. When it's finished, Avast! may automatically stop decteing it. If it doens't. Then it's up to them to contact Avast! directly.

[!Donovan]

Hi,

Home.js itself (detected by Sucuri) is not malicious.

The iframe Polonus mentioned is part of Google's Doubleclick algorithms I believe. Also see: https://support.google.com/richmedia/answer/156581?hl=en

Attached is the result of home.js with some added comments.

Regards,
~!Donovan

[polonus]

Hi !Donovan,

I get a failure non-numeric port there for global.php and 1 hidden iframe blocked resources: 3773406.fls.doubleclick.net (1) which is 3773406.fls.doubleclick.net,,,Ghosted, get no alerts now here: http://www.nvidia.com/page/home.html
A security certificate issue: https://secure.sw.gs:419/aaw/search/doubleclick.html

polonus

[!Donovan]

I see. Thanks for the info.

Regards,
~!Donovan

[polonus]

Hi !Donovan,

And you for informing me. More than ever now we have to be aware of server and DNS hick-ups and insecurities as a background for malicious activity.
Malcreations are no longer performed by advanced script kiddies, but by refined malcode expert strategists with an evil intent,
using all the tricks from the book and beyond. We have grim and real apt opponents from the dark side.

polonus

[Ijkoy]

Nvidia replied to me that the redirect is a false positive. But im getting more and more confused tbh

So the home.js is okay, as stated by !donovan and nvidia, so the sucuri alert is false.

But now we have this doubleclick thing mentioned by pol which sucuri doesnt mention at all. As doubleclick is not only used by nvidia, every site that uses it would be infected, amiright? 

In the end i just wanna know if its safe to visit nvidia.com

Thank you very much!

[polonus]

That address is Ghosted. Delegation not found at parent.

I think you are at least secure. Google is always soon to clean up their act.
Somewhat more info here.
No delegation could be found at the parent, making your zone unreachable from the Internet.
I get a bad request for that Floodlight server: HTTP/1.0 400 Bad Request
Content-Type: text/html; charset=UTF-8  not follow redirect to htxp://www.google.com (not a public page)
Not enough nameserver information was found to test the zone 3773406.fls.doubleclick.net, but an IP address lookup succeeded in spite of that.
See: http://www.domaincrawler.com/173.194.40.251
Check here: https://forms.fbi.gov/check-to-see-if-your-computer-is-using-rogue-DNS  -> http://www.dns-ok.us/  ->The Exclusion Zone Правда субъективно
(because I am located inside Europe, so outside US) but I get this confirmed from FBI -> Your IP is not configured to use the rogue DNS servers.

polonus

[Secondmineboy]

What do you mean with FBI ,pol?

[polonus]

Hi Steven Winderlich,

Just this check site from that institution against DNS Changer malware: https://forms.fbi.gov/check-to-see-if-your-computer-is-using-rogue-DNS#googtrans(nl)
where you can check that you haven't become a victim of ghosted DNS manipulation (so-called rogue DNS servers) -
fill out your IP and click check your DNS. When OK you see: Your IP is not configured to use the rogue DNS servers.
courtesy of the Federal Bureau of Investigation.
For Germany check here: http://www.dns-ok.de/        German
Bundeskriminalamt (BKA)    Bundesamt für Sicherheit in der Informationstechnik (BSI)

polonus

[Secondmineboy]

You could have thought about an other FBI there And there is a checking site for emails from the Bsi, there were so many people back a few weeks ago that their server crashed.

[Ijkoy]

So let me (try to) summarize:

The sucuri alert is wrong, confirmed by nvidia and donavan.

There is a hidden iframe on nvidia.com which points to 3773406.fls.doubleclick.net. Only the fact that the iframe is hidden makes it suspicious for several av engines (see maldb results). But in fact 3773406.fls.doubleclick.net is clean:

http://wepawet.iseclab.org/view.php?hash=19f5c67e311eeaa8e045c49e23772514&t=1393507441&type=js

So is Avast atm actually blocking nvidia.com or not? I can't try, cause im instantly redirected (if i just knew )

[polonus]

Hi Ijkoy,

I can assure you that the site is not been blocked by avast at this moment, users can normally visit: http://www.nvidia.com/page/home.html
Content (encoded: 6.40 KiB / decoded: 26.30 KiB)

polonus

[Ijkoy]

Hi Ijkoy,

I can assure you that the site is not been blocked by avast at this moment, users can normally visit: http://www.nvidia.com/page/home.html
Content (encoded: 6.40 KiB / decoded: 26.30 KiB)

polonus

But what about the maldb results you postet?

See how it is being detected now: http://maldb.com/www.nvidia.com/#
AvastHTML:Iframe-inf
VIPREHeur.HTML.MalIFrame (v)
NormanIframer.AU
SophosMal/Iframe-V
GDataHTML:Iframe-inf
ESET-NOD32HTML/Iframe.B.Gen

Thank you btw for your ongoing support