Author Topic: Infection: HTML:Iframe-inf  (Read 44140 times)

0 Members and 1 Guest are viewing this topic.

Thunder Bird

  • Guest
Re: Infection: HTML:Iframe-inf
« Reply #15 on: October 09, 2011, 01:20:47 AM »
After a bit of work and quite a few hours I have narrowed this problem down to one URL.

hxxp://www.kat.ph/the-mentalist-s04e02-hdtv-xvid-tla-t5876455.html#comments_tab
 
Got it right this time David R

If some of the forum experts would like to investigate this particular URL and report back with their findings it may help solve this problem.

Thunder Bird.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 89012
  • No support PMs thanks
Re: Infection: HTML:Iframe-inf
« Reply #16 on: October 09, 2011, 02:07:16 AM »
Well I'm able to visit that link with firefox and no alerts.

http://sitecheck.sucuri.net/scanner/ also finds nothing at that page, wXw.kat.ph/the-mentalist-s04e02-hdtv-xvid-tla-t5876455.html. Nor does the VirusTotal Results Page.

So I really am at a loss as to what is going on.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.3.6108 (build 24.3.8975.762) UI 1.0.801/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Thunder Bird

  • Guest
Re: Infection: HTML:Iframe-inf
« Reply #17 on: October 09, 2011, 02:43:49 AM »
Well I'm able to visit that link with firefox and no alerts.

So I really am at a loss as to what is going on.

When I initially tested that URL after applying my fix Avast did warn me of the HTML:Iframe-inf infection in that particular URL.

Since then I have been back and retested the URL again and Avast now reports nothing.

But a scan of a copy of the same URL in the Virus Chest still shows HTML:Iframe-inf infection.

Go figure that one.

I expect that there maybe some work going on behind the scenes that we are not privy to.

I know that I forwarded the suspect URLs to the virus lab at Avast and also to Kickass so maybe one of the two have come up with a fix and hence the URL is no longer being detected as a threat.

The question remains was Avast detecting false positives after detecting the initial infection ?

I believe Avast was somehow corrupted by one file that contained this HTML:Iframe-inf beasty and then Avast continued to keep reporting false positives for every page or action on only on the Kickass site.

It is interesting that Malwarebytes is now detecting the same problem on the Kickass site.

Thunder Bird.

« Last Edit: October 09, 2011, 04:12:21 AM by Thunder Bird »

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 89012
  • No support PMs thanks
Re: Infection: HTML:Iframe-inf
« Reply #18 on: October 09, 2011, 12:22:14 PM »
The question can't be answered as there is no information to answer it.

Avast can't corrupt the file as it isn't working with the live file, but a copy of it in its c:\windows\temp\_avast_ folder. The files after having been scanned in this folder are cleared, so even if there was a corrupt file it isn't on the site and again why only this site.

This is why I still stick with my original supposition that this isn't on your system as you think it is and you supposedly fixed it (but didn't say what you fixed ?).
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.3.6108 (build 24.3.8975.762) UI 1.0.801/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33895
  • malware fighter
Re: Infection: HTML:Iframe-inf
« Reply #19 on: October 09, 2011, 03:57:24 PM »
Hi DavidR,

Well the link is flagged as suspicious 2/6 here: http://urlquery.net/report.php?id=4705
But while I am away from my system at the moment I cannot investigate further,
certainly there is something, as it could be an outward link like: http://www.urlvoid.com/scan/ad.adperium.com (suspicious)
Scanning the narrowed down link gave: [javascript variable] URL=ads dot ad4game dot com/wXw/delivery/al.php?zoneid=18915&cb=
     info: [script] -kastatic.com/js/all-49c553.js
     info: [img] -i2.kastatic.com/tv/18967.jpg
     info: [img] -www.kat.ph/torrentwidget/e8650d18f2d76b93c7a9bf5b1f92d59c7d9a290e.png
     info: [img] -i2.kastatic.com/userpics/828c21ef170951f1c345d989436ba6cf.gif
     info: [img] -kastatic.com/images/torrentDownloaded.gif
     info: [img] -i2.kastatic.com/userpics/fef51f7e0e856f49028a6423c6b62b22.gif
     info: [img] wXw.kat.ph/content/images/commentlogo.jpg
     info: [img] -kastatic.com/images/side.png
     info: [decodingLevel=0] found JavaScript
     error: undefined variable s

polonus
« Last Edit: October 09, 2011, 04:08:19 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 89012
  • No support PMs thanks
Re: Infection: HTML:Iframe-inf
« Reply #20 on: October 09, 2011, 04:34:24 PM »
I guess that is a possibility as it could also fall in line of why it is intermittent, this could be ads poisoning and since the ads would be rotating, you would only get it if there is a poisoned ad displayed at the time you visit the link. Or that avast doesn't like the ise of the iframe for redirected traffic.

Plus me having AdBlockPlus installed may block any iframe ad content from ad.adperium.com (and why I don't get any alert), another reason to block ads ;D
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.3.6108 (build 24.3.8975.762) UI 1.0.801/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

KAT_ph

  • Guest
Re: Infection: HTML:Iframe-inf
« Reply #21 on: October 09, 2011, 09:24:30 PM »
Just want to let you know that we'll be glad to provide any support from our side if it will help to figure out what is the reason of discussed issue.

Regarding ads from ad.adperium.com as possible problem - isohunt.com works with Adperium ad network as well and they display ads from ad.adperium.com too. But when browsing isohunt pages I got no any alerts from Avast while I got them browsing kat.ph.

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33895
  • malware fighter
Re: Infection: HTML:Iframe-inf
« Reply #22 on: October 09, 2011, 09:51:04 PM »
Hi KAT_ph,

The adware track & banner code I gave is there, unwanted, and maybe not flagged by avast
But the following iframe redirect certainly is there, maybe the malcode URL is no longer up and  active, but I cannot establish that for sure, that why it is being blocked.
Well the iFrame code as you can find from analyzing the urlquery.net analysis redirects to
-http://e46l.cc/ as
^iframe src="-http://<iframe src="-http://e46l.cc/in.cgi?mumsnet" etc, etc. ^
redirect src link = suspicious, see: http://urlquery.net/report.php?id=4401 and so avast will flag this as: "malicious URL blocked",

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Thunder Bird

  • Guest
Re: Infection: HTML:Iframe-inf
« Reply #23 on: October 10, 2011, 12:00:29 AM »
The question can't be answered as there is no information to answer it.

This is why I still stick with my original supposition that this isn't on your system as you think it is and you supposedly fixed it (but didn't say what you fixed ?).

If it was not on my system as you maintain how do you explain.

Every click on the KAT website caused Avast to produce the HTML:Iframe-inf infection warning.

After I had cleared caches, temp files, run Malwarebytes, etc. Avast still produced the HTML:Iframe-inf infection warnings only on the KAT site.

Now without touching or doing anything else I uninstalled then reinstalled Avast and the Warnings ceased completely and these warnings have not reappeared since.

The Avast reinstall was exactly the same program and virus definition version as previously.

So if this problem was not on my computer how do you explain that simply reinstalling Avast without touching anything else caused Avast to cease issuing HTML:Iframe-inf infection warnings?

It would appear that Avast had somehow been infiltrated or contaminated in some way that was causing Avast to raise false positives and the reinstall somehow cured this problem.

As I say I can go to the KAT site now and do everything that I did before that would have raised Avast warnings but now I can go there and I have not experienced one warning since reinstalling Avast.

P.S. I am using Firefox 8.0 beta I was using 7.0 but upgraded to 8.0 because I have a lot of trouble connecting to the Avast site but this connection problem still remains.

Firefox sits there for ages with the black arrow spinning anticlockwise before it finally goes green and connects.

Hope this information provides enough help to lead to an answer.

Thunder Bird.
« Last Edit: October 10, 2011, 12:13:04 AM by Thunder Bird »

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 89012
  • No support PMs thanks
Re: Infection: HTML:Iframe-inf
« Reply #24 on: October 10, 2011, 12:46:32 AM »
Malware on a system is highly unlikely to be that selective.

Now you are saying every click on the KAT web site, which you weren't before. Presumably this would be for all pages with the iframe ad to ad.adpurium.com, see #### below.

Effectively you are saying that it wasn't just on your system but was actually part of avast and I simply can't see that. I can't see how a reinstall would have this effect as essentially the only thing that is likely to have changed (assuming that you already had the latest avast version) would be the virus definitions. There is also the possibility that avast has has updated the virus signatures and it is no longer detected.

Unfortunately you are using the reverse logic to me on what is the cause, I still don't believe it was on your system.

####
As polonus has mentioned there is an iframe tag to ad.adpurium.com, which is a possible cause of this and since I block ads, and adpurium.com is blocked in AdBlockPlus, I don't see it (so won't get an alert).

Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.3.6108 (build 24.3.8975.762) UI 1.0.801/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Thunder Bird

  • Guest
Re: Infection: HTML:Iframe-inf
« Reply #25 on: October 10, 2011, 01:34:30 AM »
Malware on a system is highly unlikely to be that selective.

DavidR I am reporting it as I witnessed it and I stand by what I said previously.

For what purpose would I misreport my experience and if you refuse to take my reports on board I am wasting my time in this forum.

Quote
Now you are saying every click on the KAT web site, which you weren't before. Presumably this would be for all pages with the iframe ad to ad.adpurium.com, see #### below.

Every time I changed a page on KAT I got an Avast warning.

Whenever you click on an item on a page it always takes you to another page.

Quote
Effectively you are saying that it wasn't just on your system but was actually part of avast and I simply can't see that.


Well David I witnessed it and I am reporting it as I saw it. (You better believe it).

Quote
I can't see how a reinstall would have this effect as essentially the only thing that is likely to have changed (assuming that you already had the latest avast version) would be the virus definitions. There is also the possibility that avast has has updated the virus signatures and it is no longer detected.

David as I explained without doing anything else all I did was reinstall Avast.

Immediately prior to the Avast reinstall I had checked for Avast program and engine and virus definitions in the event that an update might be an answer but everything was up to date and I was still experiencing Avast warnings, it was at this point I thought I have tried everything else what have I got to lose by reinstalling Avast.

Quote
Unfortunately you are using the reverse logic to me on what is the cause, I still don't believe it was on your system.

Unfortunately David you don't believe me but I am telling it as it is and when someone else carries out a re-installation of Avast and gets the same results as me you might then like to reconsider your beliefs.  

Quote
As polonus has mentioned there is an iframe tag to ad.adpurium.com, which is a possible cause of this and since I block ads, and adpurium.com is blocked in AdBlockPlus, I don't see it (so won't get an alert).

I have not blocked any ads I just did like I said before and simply reinstalled Avast without taking any other actions and believe me my warnings from Avast then disappeared.

We will just have wait now for someone else who is experiencing this problem with Avast to do a reinstall and report that the problem has disappeared which will then put the ball back in your court.

Reinstalling Avast fixed the problem for me believe me or not David.

David I don't know what else I can say to convince you of my experience but I am prepared to put my money where my mouth is, are you ?

Fools give you reasons wise men never try.


Thunder Bird.
« Last Edit: October 10, 2011, 01:52:48 AM by Thunder Bird »

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 89012
  • No support PMs thanks
Re: Infection: HTML:Iframe-inf
« Reply #26 on: October 10, 2011, 02:28:02 AM »
No point in putting any money anywhere, as there simply is no way to prove it one way or another.

But if this were the case then why aren't more reporting this.

I don't dispute that you experienced in visiting the site, just the conclusion that this was something on your system and in avast to boot.

I base my comments on over seven years of using avast and being on the forums and do see trends and I absolutely haven't seen any malware on a system that only attacks one specific site.

So for me I'm done.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.3.6108 (build 24.3.8975.762) UI 1.0.801/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Thunder Bird

  • Guest
Re: Infection: HTML:Iframe-inf
« Reply #27 on: October 10, 2011, 03:16:13 AM »

But if this were the case then why aren't more reporting this.

I base my comments on over seven years of using avast and being on the forums and do see trends and I absolutely haven't seen any malware on a system that only attacks one specific site.

You must have missed this post in this thread then David and it's straight from a KAT site team member.

http://forum.avast.com/index.php?topic=86133.msg696076#msg696076

Quote
Hi everybody,

I'm one of the Kickasstorrents team members and I've just registered here hoping you'll help me to solve this issue with malware detected on our site kat.ph.

Since today our members start to reporting about some kind of malware on the site, everyone of them was using Avast. I was just checked malware section for kat.ph in Google Webmaster Tools - everything is Ok there. Seems like it's Avast only detection.

Can somebody please explain me where is malware living on our site (if there is any)? I believe our site is clear cause nobody detects us except Avast. In case it's really clear - what is the right way to remove that scary alert for our visitors?

And this one.

http://forum.avast.com/index.php?topic=86133.msg696832#msg696832

Quote
Just want to let you know that we'll be glad to provide any support from our side if it will help to figure out what is the reason of discussed issue.

Also from the same KAT team member.

Maybe the affected members of the KAT site should be invited to start posting here ?

Thunder Bird.

Thunder Bird

  • Guest
Re: Infection: HTML:Iframe-inf
« Reply #28 on: October 10, 2011, 04:52:29 AM »
I base my comments on over seven years of using avast and being on the forums and do see trends and I absolutely haven't seen any malware on a system that only attacks one specific site.

What about if that particular site had been hacked David ?

http://biggeekdaddy.com/AvastAVProtection.html

Quote
HTML:iframe-inf code alert.  Big Geek Daddy uses Avast Anti Virus and found two legitimate websites that had been infected with an Iframe code.  

Avast identifies this as HTML:iframe-inf.  I don't believe this is a false positive and if Avast or whatever Anti Virus Protection you are using gives you a similar warning then follow the prompt to abort the connection.  

You might also consider sending an email to the website owner letting them know what page you encountered this on as they are probably unaware that their website has been hacked and infected with malicious code.  Legitimate websites do get hacked unfortunately.

I did email KAT and that is when I found out KAT was getting reports from several of their members who use Avast reporting the same problem.

I have one thing to add and that is I re-installed Avast on Saturday, October 08, 2011, 10:30:49 PM (South Australian day light saving time) so unless there was an action by another party on the internet at precisely that particular time to coincide with my re-installing of Avast I cannot think of any other explanation why my re-installation of Avast worked for me.

Is there anything in Avast that stops script files ?

I did not alter Avast after the re-installation but the script shield shows no activity from the KAT site now.

I have emailed KAT to find out if KAT has blocked script files (ads)and if so when.

I do not get any ads at the moment from the KAT site and I do not use an ad blocker.

Thunder Bird.





« Last Edit: October 10, 2011, 05:12:41 AM by Thunder Bird »

Thunder Bird

  • Guest
Re: Infection: HTML:Iframe-inf
« Reply #29 on: October 11, 2011, 12:23:52 AM »

Is there anything in Avast that stops script files ?

I did not alter Avast after the re-installation but the script shield shows no activity from the KAT site now.

I have emailed KAT to find out if KAT has blocked script files (ads)and if so when.

I do not get any ads at the moment from the KAT site and I do not use an ad blocker.

In answer to the above the KAT site blocks ads for members who are logged in.

Being a new member of the KAT forum I was unaware of this fact.

Looks like it is back to the drawing board to try and find another answer.

Makes it difficult when my re-installed Avast is no longer issuing HTML:Iframe-inf infection warnings.

It appears there are still people with Avast suffering this problem on the KAT site.

Thunder Bird.
« Last Edit: October 11, 2011, 12:30:46 AM by Thunder Bird »