Author Topic: avast! does not detect malicious appendChild iframe  (Read 6718 times)

0 Members and 1 Guest are viewing this topic.

Offline !Donovan

  • Web Analyst
  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 2220
    • The WAR Against Malware
avast! does not detect malicious appendChild iframe
« on: May 24, 2012, 10:43:43 PM »
What should be detected as JS:iframe-[XX] is surprisingly, not detected--by any antivirus.
Based on the exploit given here: http://forum.avast.com/index.php?topic=96822.0
In which, is dated one month ago, I would assume that the AV industry would be able to block this kind of threat.

Using a random malicious link from today (attached #1), I inject that link into my modified source.
http://urlvoid.com/scan/lastofengland.org/
http://urlquery.net/report.php?id=59332


The exploit syntax should've been enough to alert. I'm surprised that none did. See:
https://www.virustotal.com/file/a5e827c1d75ae62d3211923b28f3fe8ce47351ef666063e8bd017e76fa09182e/analysis/1337891506/


Attachment #2 contains the tested fully compressed file and attachment #3 contains the part that avast! should've detected.


 ??? :-\
Familiarize Yourself! | Educate Yourself! | Beautify Yourself! | Scan Yourself!
"People who say it cannot be done should not interrupt those who are doing it."

Offline True Indian

  • Malware Hunter
  • Avast Evangelist
  • Advanced Poster
  • ***
  • Posts: 712
  • A Good Old Indian!
Re: avast! does not detect malicious appendChild iframe
« Reply #1 on: May 25, 2012, 10:13:15 AM »
I guess i have another sample similar to this or not....but it also misses avast detection as given here:
https://www.virustotal.com/file/f05fb0c81f0eefe8916c951b3aa76e3abd492e2ee3bbbdff7a2615d1244a78e3/analysis/

Offline polonus

  • Avast Überevangelist
  • Maybe Bot
  • *****
  • Posts: 31659
  • malware fighter
Re: avast! does not detect malicious appendChild iframe
« Reply #2 on: May 25, 2012, 01:37:13 PM »
Hi !Donovan,

Thank you very much for your observations. Maybe the knowledge of this attack has sunken away in the memory of av analysts, so they missed it.

Very interesting link to read: http://www.hars.de/2010/12/Maria-14186255-malware-spam.html  link article author = Florian Hars;

The appendChild iframe attack method you described had already been known to us from around the year 2008. From the moment a user clicks only the iFrame URL is changed, and JS malware contol is being maintained through this invisable full-screen iFrame. The URL bar that does not change with each click, being the only drawback when this attack method is performed...

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline !Donovan

  • Web Analyst
  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 2220
    • The WAR Against Malware
Re: avast! does not detect malicious appendChild iframe
« Reply #3 on: May 25, 2012, 02:46:10 PM »
Thinking that my algorithm was too tough, I remove it completely. I also saw that I forgot .style before .opacity. Thinking that this would be enough. I reupload the debugging sample (my version that's fully beautified and clean) to VirusTotal. The results: https://www.virustotal.com/file/a20de6e982d7b13663c0e539952ee59bc61729dab7831c79064b279ea16feb46/analysis/1337948822/ !?

Well, then I thought, maybe one of the heuristic scanners would detect it if it was packed, so I pack this one using the default setting in Dean Edward's packer and upload it again. Same Results: https://www.virustotal.com/file/789857026049e89acb360add3da5f0b49b6678da68e377715c25e5820a01fb73/analysis/1337949157/


Edit: PM for sample.

« Last Edit: May 26, 2012, 02:28:18 PM by !Donovan »
Familiarize Yourself! | Educate Yourself! | Beautify Yourself! | Scan Yourself!
"People who say it cannot be done should not interrupt those who are doing it."

Offline polonus

  • Avast Überevangelist
  • Maybe Bot
  • *****
  • Posts: 31659
  • malware fighter
Re: avast! does not detect malicious appendChild iframe
« Reply #4 on: May 25, 2012, 03:02:57 PM »
Hi !Donovan,

What you have done is the best proof of the fact that av detection is mainly reactive. If they do not know what to look for, it will not be detected.

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline Pondus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 36047
Re: avast! does not detect malicious appendChild iframe
« Reply #5 on: May 26, 2012, 08:40:50 AM »
it seems you are correct Donovan   ;)

Norman lab agree with you
Quote
HTML/Iframe.LX will detect both the samples.
Chief Wiggum: Uh, no, you got the wrong number. This is 9-1…2.


Offline True Indian

  • Malware Hunter
  • Avast Evangelist
  • Advanced Poster
  • ***
  • Posts: 712
  • A Good Old Indian!
Re: avast! does not detect malicious appendChild iframe
« Reply #6 on: May 26, 2012, 11:51:35 AM »
**REMOVED

« Last Edit: May 26, 2012, 06:32:05 PM by true indian »

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 81907
  • No support PMs thanks
Re: avast! does not detect malicious appendChild iframe
« Reply #7 on: May 26, 2012, 01:40:10 PM »
<snip>

Uploaded to SendSpace if you want to view the samples. Password: infected
<sharing link removed>
Note: Ads are everywhere, which makes anonymous uploading possible

Please don't publish links to malware on file share sites as this is a publicly available forum and you have no control over who might download it or what they might do with it. Samples should be sent directly to avast and not shared.

So I would advise its removal from the posts and from the file share site.
WinXP ProSP3/ Core2Duo E8300/ 4GB Ram/ avast! free 18.5.2342/ Firefox ESR, uBlock Origin, uMatrix/ MailWasher Pro7.11.0/ DropMyRights/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 19.7.2388 (build: 19.7.4674.526)/ WinPatrol+/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro7.11.0/ WinPatrol+/

Offline polonus

  • Avast Überevangelist
  • Maybe Bot
  • *****
  • Posts: 31659
  • malware fighter
Re: avast! does not detect malicious appendChild iframe
« Reply #8 on: May 26, 2012, 02:55:36 PM »
Hi DavidR,

Agree with you here, that is why I sometimes even break scan result links now. In a public forum be aware that the malversant is reading over your shoulder all the time.

Still there should be room for some criticism here, because as this type of  malware is a recycled 2008 type, coming right out of the widely available txt-books (also to be googled and read online) it is a shame really that it is not being detected by a wide variety of av solutions. Apparently priority went to file viruses and trojans and scripting threats held a lower priority for quite some time. Avast is certainly catching up in this respect, other av's certainly lack behind. And some even admit this,

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline !Donovan

  • Web Analyst
  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 2220
    • The WAR Against Malware
Re: avast! does not detect malicious appendChild iframe
« Reply #9 on: May 26, 2012, 03:04:24 PM »
Lets hope that sooner or later suspicious patterns found in coding on the web will be detected by antiviruses. ;)

After all, why use the "if" + "rame" method when you can use "iframe" and save 5 characters for your scripts, webmasters?
Familiarize Yourself! | Educate Yourself! | Beautify Yourself! | Scan Yourself!
"People who say it cannot be done should not interrupt those who are doing it."

Offline polonus

  • Avast Überevangelist
  • Maybe Bot
  • *****
  • Posts: 31659
  • malware fighter
Re: avast! does not detect malicious appendChild iframe
« Reply #10 on: May 26, 2012, 03:24:47 PM »
Hi !Donovan,

I think script anomaly detection and IDS incorporation should come to av detection asap. We cannot only rely on Opera and Google Safebrowsing blocking inside FX and Chrome, because hordes of Blue E users will be unprotected. I have to admit that both Bitdefender TrafficLight and WOT blocks a lot of sites where this is.
Only last year Google blocked 134 million ads of which a portion were malvertizing ads. I know malware protection is mainly reactive,

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 81907
  • No support PMs thanks
Re: avast! does not detect malicious appendChild iframe
« Reply #11 on: May 26, 2012, 04:50:58 PM »
@ !Donovan
Thanks for removing the file share link.
WinXP ProSP3/ Core2Duo E8300/ 4GB Ram/ avast! free 18.5.2342/ Firefox ESR, uBlock Origin, uMatrix/ MailWasher Pro7.11.0/ DropMyRights/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 19.7.2388 (build: 19.7.4674.526)/ WinPatrol+/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro7.11.0/ WinPatrol+/

Offline Pondus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 36047
Re: avast! does not detect malicious appendChild iframe
« Reply #12 on: May 28, 2012, 08:10:14 AM »
that took some time, but finally from Avira

Quote
The file 'JS-Iframe-Exploit--Default-DE-Compressed.js' has been determined to be 'MALWARE'. Our analysts named the threat JS/IFrame.agi.  The term "JS/" denotes a Java scriptvirus. Detection will be added to our virus definition file (VDF) with one of the next updates.

Quote
The file 'JS-Iframe-Exploit--FULLY_Beautified.js' has been determined to be 'MALWARE'. Our analysts named the threat JS/IFrame.agi.  The term "JS/" denotes a Java scriptvirus. Detection will be added to our virus definition file (VDF) with one of the next updates.
Chief Wiggum: Uh, no, you got the wrong number. This is 9-1…2.


Offline polonus

  • Avast Überevangelist
  • Maybe Bot
  • *****
  • Posts: 31659
  • malware fighter
Re: avast! does not detect malicious appendChild iframe
« Reply #13 on: May 28, 2012, 04:09:17 PM »
Hi folks,

A very good analytical job from !Donovan, thanks to him for delving this up and also thanks for the reporting to the av community,
Pondus, so they are aware an have added this to detection,

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline Dim@rik

  • Advanced Poster
  • **
  • Posts: 670
Re: avast! does not detect malicious appendChild iframe
« Reply #14 on: May 28, 2012, 05:21:21 PM »
+1 !Donovan

Good catch.

Working virus laboratory frustrating, very slowly add the samples. :'(