Malware on Ibanezregister.com (?)

Hi Guys,

I followed a link to ibanezregister.com yesterday. My virus scanner started bleeping:

I sent the file in question to Virustotal and let it scan there. Result:

AhnLab-V3 2008.8.12.0 2008.08.11 -

AntiVir 7.8.1.19 2008.08.11 JS/Dldr.Iframe.CF

Authentium 5.1.0.4 2008.08.11 -

Avast 4.8.1195.0 2008.08.11 -

AVG 8.0.0.156 2008.08.11 -

BitDefender 7.2 2008.08.11 -

CAT-QuickHeal 9.50 2008.08.11 -

ClamAV 0.93.1 2008.08.11 -

DrWeb 4.44.0.09170 2008.08.11 -

eSafe 7.0.17.0 2008.08.11 -

eTrust-Vet 31.6.6023 2008.08.11 -

Ewido 4.0 2008.08.11 -

F-Prot 4.4.4.56 2008.08.11 -

F-Secure 7.60.13501.0 2008.08.11 -

Fortinet 3.14.0.0 2008.08.11 -

GData 2.0.7306.1023 2008.08.11 -

Ikarus T3.1.1.34.0 2008.08.11 -

K7AntiVirus 7.10.411 2008.08.11 -

Kaspersky 7.0.0.125 2008.08.11 -

McAfee 5358 2008.08.11 Exploit-IFrame

Microsoft 1.3807 2008.08.11 -

NOD32v2 3346 2008.08.11 -

Norman 5.80.02 2008.08.11 -

Panda 9.0.0.4 2008.08.11 -

PCTools 4.4.2.0 2008.08.11 -

Prevx1 V2 2008.08.11 -

Rising 20.57.02.00 2008.08.11 -

Sophos 4.32.0 2008.08.11 -

Sunbelt 3.1.1538.1 2008.08.09 -

Symantec 10 2008.08.11 -

TheHacker 6.2.96.395 2008.08.08 -

TrendMicro 8.700.0.1004 2008.08.11 -

VBA32 3.12.8.3 2008.08.11 -

ViRobot 2008.8.11.1331 2008.08.11 -

VirusBuster 4.5.11.0 2008.08.11 -

Webwasher-Gateway 6.6.2 2008.08.11 Script.Dldr.Iframe.CF

Looked a bit like a false positive (Webwasher and Avira use the same detection engine, so only McAfee confirmed) but I sent it to Avira for further analysis. Today came the result:

Avira confirms that it is malware. Since it has its own name (JS/Dldr.Iframe.CF), it has been recognized before anyway. The site apparently contains a hidden script that downloads malware ("Dldr"=Downloader) from another site. I assume that this can only work - as usual - when using IE and having Javascript enabled.

In other words, they might have been hacked. Don't go there.

There are a lot of sites that have been hacked to include cross browser scripting. Sadly, Firefox is not necessarily immune, either. Last summer I had a cross site script download and try to get me to install some software. The payload ended up on my machine but I didn't install it and removed it with the Trend Micro Housecall online free scan.

The exploit was hosted on a number of innocent but clueless third party sites, The Economist, Yahoo, AllMusic, and others.

A more pernicious and ongoing problem is so-called social engineering exploits that are scattered on member pages for Facebook, MySpace, and other social networking sites. The trick is to try to get you to download and install worm malware -- typically in the guise of a media player or "special codec" to see some "special" media of some sort.

But a newly popular exploit is to try to trick people into downloading a worm package disguised as a Flash player update.

A quick glance at the URL might at first LOOK like it's going to Adobe but a more careful examination will show the URL actually uses subdomain prefixes to try to fool people, a la, adobe.com.blahblahblah.SomeRealBadPeople.com/blahblhablah/nastyPayload.exe -- if you get the drift.

Yeah they all do a lot to keep browsing interesting... we don't need browser games, browsing IS a game.

any new information on this virus? I just got hit by this too. good thing i use noscript + firefox.

I keep getting an "update is available" for Apple I-Tunes / Quicktime or something. I ignore and close it and wonder wtf? I have my automatic updates turned off. AMD Dual 3800, Windows XP Corp. Firefox 3. No idea if I should install it or not.

Do not install it!

There is a new exploit targeting Windows, Linux, and Mac IE, Safari, and Firefox users -- it uses Flash banner advertising on some major sites and takes over your clipboard...

Install adblock plus and use the easylist. install no script, it stop scripts form running unlessyou want it to. install wot and mcafee siteadvisor, it rates websites telling if its a good website or not.

Me, I wouldn't touch anything from McAffee or Norton/Symantec. But that's just me. Well, it's not just me. But it's not everybody, I guess.

I am a big fan of NoScript for Firefox, though, which can stop cross site or even all scripting, letting the user only allow those sites he wants to have javascript powers.

I'm not glad to hear that this thing was really attempting something. But I hope that some read this and understand that "I have antivirus and don't go on porn sites" doesn't protect them from being infected.