Author Topic: Infection: HTML:Iframe-inf  (Read 44012 times)

0 Members and 1 Guest are viewing this topic.

KAT_ph

  • Guest
Re: Infection: HTML:Iframe-inf
« Reply #30 on: October 11, 2011, 08:57:23 AM »
Now you are saying every click on the KAT web site, which you weren't before. Presumably this would be for all pages with the iframe ad to ad.adpurium.com, see #### below.

I also got alert when managing ads on the site backend. Everything is ok there until I go to the page where banner displayed. And it doesn't matter where that banner from (ad.adpurium.com or any other domain) - I got the same alert on every advertiser banners.

If ad.adperium.com is compromised domain why I got no the same alert when browsing hXXp://www.mininova.org/ who use the same placement of Adperium banners as we are?

Some days ago I've submitted ticket to the Avast support team and got an answer from them:

Quote
Hello,

It should be solved, if not let us know please.


Miroslav Jenšík
AVAST Software a.s.

Anyway, we are keep getting reports from our visitors as well as Avast on my local PC keeps me informed about some kind of phantom malware.

Online DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88899
  • No support PMs thanks
Re: Infection: HTML:Iframe-inf
« Reply #31 on: October 11, 2011, 12:24:07 PM »
I don't know if they (mininova.org) are also using an iframe to display the adperium.com banner ads, as you are on your site since this alert is specifically mentioning iFrame-inf, which I believe is iframe injection.

Unfortunately as an avast user, I can't help more than I have tried to do in pinpointing the likely cause. Since I also use AdBlockPlus and so I don't get an alert at all as the adperium.com content is blocked.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67195
Re: Infection: HTML:Iframe-inf
« Reply #32 on: October 11, 2011, 01:09:12 PM »
Long live to AdBlockPlus! :)
The best things in life are free.

Thunder Bird

  • Guest
Re: Infection: HTML:Iframe-inf
« Reply #33 on: October 11, 2011, 01:30:12 PM »

"Avast can't corrupt the file as it isn't working with the live file"

You misquoted me David I was actually asking the question if it was possible for Avast to have been corrupted or compromised by a particular file from the KAT site.

I have since received suspect KAT URLs from another person whose Avast is still warning them of this HTML:Iframe-inf infection and I have double checked them with my re-installed copy of Avast and wouldn't you know it my copy of Avast fails to issue any warning.

So it really begs the big question "What is the difference between our two copies of Avast ?"

What do you say if he also does an Avast re-install like myself and then he gets no further warnings ?

I guess then one could effectively allude to the possibility that it had actually got into our systems and had actually become part of Avast.
Quote
There is also the possibility that Avast has has updated the virus signatures and it is no longer detected.

Avast Virus signatures have been updated automatically and this problem is still being detected by this particular copy of Avast that has not been re-installed yet.

I am not claiming re-installing that copy of Avast will have the same effect that I experienced but it does raise the big question of "What if it does ?"

Not sure why Avast are not trying to obtain a copy of this particular Avast that is still issuing these warnings to compare it to a copy that does not issue warnings ?

Surely that would be as good a starting point as any to try and pinpoint this problem ?

Thunder Bird. 

WayneHuang

  • Guest
Re: Infection: HTML:Iframe-inf
« Reply #34 on: October 16, 2011, 07:04:40 AM »
Don't know about this last incident, but we detected an infection and just wrote a blog about it:
http://blog.armorize.com/2011/10/malvertising-on-kickasstorrents-katph.html

Check out the video in the post--there is no denying that the website was 100% infected.

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: Infection: HTML:Iframe-inf
« Reply #35 on: October 16, 2011, 10:49:35 AM »
Hi WayneHuang,

There certainly is some issue there, see: http://urlquery.net/report.php?id=4717
mail dot waplove dot cn waplove dot cn mobile malware command and control server .....
www dot myspacemp3 dot org 95.215.60.37 piracy base3 dot 3cliks dot srv dot br - this malware issue was from June last -http://doc.emergingthreats.net/pub/Main/RussianBusinessNetwork/RBN_IP_List_Update_6-19-2011.txt notorious malware site, so site status possibly suspicious and compromised this was there and now mitifated to   93.114.40.112 (previous    209.44.103.29) site rep: Suspicious [2 / 6]
while sucuri gives it clean here:
web site:    -http://www.kat.ph/releases/
status:    Verified Clean
web trust:     Not Blacklisted
But see: http://www.urlvoid.com/scan/kickasstorrents.com
Mafia Wars Info stealer activity, see also: http://hosts-file.net/?s=kickasstorrents.com
Classification EMD (malware activity etc.)
Also see: http://google.com/safebrowsing/diagnostic?site=kat.ph
Furthermore consider:
-http://ad.adperium.com/st?ad_type=iframe&ad_size=728×90&section=655765
the malware comes/came from -http://91.216.3.108/ca1/index.php via “Multiple Adobe Reader and Acrobat buffer overflows”.
see: http://wepawet.iseclab.org/view.php?hash=1698072b7a5718dae7b1049ffe4aab2a&t=1273513777&type=js
could have been cleansed in the mean time, see: http://urlquery.net/report.php?id=5241

polonus
« Last Edit: October 16, 2011, 02:44:10 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: Infection: HTML:Iframe-inf
« Reply #36 on: October 16, 2011, 02:57:30 PM »
To keep an eye out for this infection, the MD5-Hash = MD5-Hash: 375f136917d79afefd72342cd8357154
for a Java-exploit hidden in Open-X ads: JS:KRYPTIK.AY found. Update: according to some there was a similar infection at "bitsnoop", so watch your tracks for this one...
VT results: http://www.virustotal.com/file-scan/report.html?id=969bad4d52672e8b6475e88d266337906022c47966daba0c5dfedc1321885470-1318192617
Avast detects as Win32:Kryptik-FBB [Trj],

polonus
« Last Edit: October 17, 2011, 11:07:48 AM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Thunder Bird

  • Guest
Re: Infection: HTML:Iframe-inf
« Reply #37 on: October 18, 2011, 09:26:56 AM »
Hello,
this site contained malicious script but it is fixed now.
Regards,
Jan

So is KAT fixed and clear now or are there still underlying problems ?

Thunder Bird.
« Last Edit: October 18, 2011, 09:34:10 AM by Thunder Bird »

REDACTED

  • Guest
Re: Infection: HTML:Iframe-inf
« Reply #38 on: April 14, 2016, 04:29:05 PM »
Can somebody please explain me where is malware living on our site (if there is any)? I believe our site is clear cause nobody detects us except Avast. In case it's really clear - what is the right way to remove that scary alert for our visitors?

@Kat_ph I have tried to pull your page on Mozilla Firefox, and got a "Reported Web Forgery" alert. When I followed the link to find out why, I saw that the owner of the reported site can get the warning removed. They said to click this link (alte to validate) h__p://mzl.la/1BAVoBE

I have also noticed that Avast is not always reliable regarding phishing or other malicious web pages. I do believe they may be a little oversensitive. Which is better than not being sensitive enough, I suppose.

As I am a user of torrents, I hope you can get this issue sorted out.
#WriteOn!
-- John
johntmherres DOT com

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37507
  • Not a avast user
Re: Infection: HTML:Iframe-inf
« Reply #39 on: April 14, 2016, 05:09:40 PM »
@ JohnTMHerres   you are posting in a topic from 2011