InformAction Forums

Greetings NoScript Community,
I'll start with some basic system specs:
OS: Vista
Antivirus: Microsoft Security Essentials (MSE)
Browser: Firefox with NoScript, of course

My computer knowledge: very minimal

My problem:

Over a week ago, I was doing some research for a school project. I entered some search terms into Google and clicked on a site. I was then alerted by my anti-virus software (MSE), that a malicious file was detected.

It is called Exploit:HTML/IframeRef.gen

Here is a link to microsoft's description of this malicious file: http://www.microsoft.com/security/porta ... ameRef.gen
I followed the instructions given to me by MSE and clicked "clean computer", and MSE informed me that it was successful in cleaning it.
Again, that was a little over a week ago.

About 30 minutes ago, out of curiosity, I entered the same search terms into Google that led me to the website previously, with the intention of NOT clicking on it. And I did not click on it. However, the search results in Google actually triggered an identical warning from MSE! Again, I did NOT click on ANY of the results this time. I merely searched on Google and the SEARCH RESULTS PAGE ITSELF led to my anti-virus giving me this detection. Any theories as to why this happened? Could it be that the search results page itself is infected? Is that even possible? Also, was it the case that the original detection was in fact triggered by the search results page too, but that I just clicked on a site before the warning box came up and I erroneously attributed the incident to the site I clicked on instead of the search results page? I am also worried that this could be due to something residual being on my computer from something prior. But all of my on-demand scans have come back clean. I will scan again after I post this.

Regarding the nature of the detected threat: Here is a link to a post discussing Exploit:HTML/IframeRef.gen on this forum:
http://forums.informaction.com/viewtopic.php?f=8&t=4471
In the above thread, the venerable Giorgio Maone explains that the malicious Iframe redirects to a site containing an exploit, but that NoScript users are protected from such exploits most of the time, since such exploits usually rely on javascript or a plugin. Hopefully, I properly understood what Giorgio was saying. Again, my computer knowledge is very minimal.

Thanks to all who read this. Hopefully someone can answer my questions and, in the process, make me less worried about this so I can move on.

Igwo

P.S. If someone wants me to, and if it is permitted, I can provide the search terms which bring up the possibly malicious search results. You would be surprised how benign the terms look. You'd never guess it would result in something bad. I was merely searching for crime statistics about a country I was researching for school.

Firefox may be prefetching links (pipelining), which may have triggered the MSE warning.
Disable pipelining, clear your cache, enter the same search, see if you again get the warning.

MSE may be scanning for IFRAME in general, & may be flagging anything related?

NoScript Options | Embeddings -> Additional restrictions ... enable Forbid <IFRAME>.
Revisit the site. See if MSE still warns.

I am assuming that there was actually nothing even on your computer, simply a detection by MSE.


> I can provide the search terms

Sure, go ahead.

Thank you, therube.
I'll have to take a few minutes to educate myself on some of the terms/concepts you used, before I can really understand what you're saying. Again, I'm not very technically adept (I'm trying to improve though). And I'd like to understand what's going on, because I am curious too.

Firefox may be prefetching links (pipelining), which may have triggered the MSE warning.

I have a guess as to what that means, but I'll have to look up "prefetching" and "pipelining" to understand. I've heard pipelining for processors but not for browsers. I'll look those up.

Disable pipelining, clear your cache, enter the same search, see if you again get the warning.

I will probably take your advice and disable pipelining. I think I have my cache set to clear each time FF closes. I'm a bit hesitant to do the same search again though, but I probably will.

MSE may be scanning for IFRAME in general, & may be flagging anything related?

I have no idea. Sounds possible though.

NoScript Options | Embeddings -> Additional restrictions ... enable Forbid <IFRAME>.
Revisit the site. See if MSE still warns.

I actually did this after the first detection of IframeRef.gen over a week ago.

I am assuming that there was actually nothing even on your computer, simply a detection by MSE.

That is something I am confused on. I really don't know if my system was compromised, infected or not. I do not know if MSE intercepted it in time. The path of the detected file, as told by MSE, does seem to explicitly say that the malicious file was in firefox's cache. I hope it didn't have the opportunity to do harm.

The search terms which triggered the detection:

spain crime

amazing isn't it?

TheRube, where did you get the idea from that pipelining is the same as prefetching (in Fx)?!

Wasn't sure? May be mixing up two terminologies.
If so, set me straight .

Yep, mixing up, it seems.

network.prefetch-next

network.http.pipelining

So it would be prefetch that (if you are interested) you would disable to see if that makes a change.
(And that would assume that Google does do prefetching on their pages?)

Igwo wrote:I really don't know if my system was compromised, infected or not. I do not know if MSE intercepted it in time. The path of the detected file, as told by MSE, does seem to explicitly say that the malicious file was in firefox's cache. I hope it didn't have the opportunity to do harm.

I doubt it did any harm, especially if the detected file was in Firefox's cache. It sounds like your original google search may have returned a link to a malicious or hacked site. MSE recognized one of the sites as problematic, gave you a warning, and blocked any malicious behavior.

Although I think you don't need to do anything. I recommend the following:
- Don't mess around with any of Firefox's default settings in an attempt to get rid of warnings like this. It could cause performance problems. Quite often a user's response to an AV message is what causes damage.
- You have little to fear if your OS, IE (if on Windows), Firefox, and other applications are current with all security updates. I use Secunia PSI to make sure mine is current.
- Caveat: NoScript, your AV, and my previous recommendations are no substitute for being cautious and using the Internet prudently, i.e. what's called "safe hex".
- Scan your system with MSE.

- Don't mess around with any of Firefox's default settings in an attempt to get rid of warnings like this. It could cause performance problems. Quite often a user's response to an AV message is what causes damage.

Hi Alan, I was reading this thread and am had an experience the other day with something very worrying, and wondering whether I should shut off prefetch as well.

Are you saying in your quote shown above to not change the prefetch off?

Thank you.

therube,

You were right about the prefetching thing. I looked up how to turn it off, and did so. Then I repeated the search on google but I did not get a message from MSE. So thank you for your advice. I was able to put it to use.
This prefetching thing seems like a clever little feature, but I can do without it and I don't see why the average user like me would want this enabled. I absolutely do not like it. After I learned a bit about it, it seems like it is the same concept as Vista's Superfetch (which has been turned off on my machine) only applied to browsing websites and thereby presenting security risks. The trade off between risk and performance just does not seem to justify this feature.

Alan Baxter,

I doubt it did any harm, especially if the detected file was in Firefox's cache.

Thanks man. I feel better after reading that. BTW, is this related to the "sandbox" concept? Does this mean that Firefox's cache is relatively isolated from the rest of my system?

It sounds like your original google search may have returned a link to a malicious or hacked site. MSE recognized one of the sites as problematic, gave you a warning, and blocked any malicious behavior.

Do you still think that I'm okay even considering that I probably did click on a link and actually go to the malicious/hacked site originally?

Also, regarding the subsequent infection via Firefox's prefetching from google's search results:
At that point, iframes were disabled in NoScript(because I disabled it after the first incident with Iframeref.gen over a week ago). So even if iframes are disabled in NoScript, that does not prevent them from being loaded into Firefox's cache but rather just prevents them from running? Could you explain in what way NoScript is blocking iframes?

Don't mess around with any of Firefox's default settings in an attempt to get rid of warnings like this. It could cause performance problems. Quite often a user's response to an AV message is what causes damage.

I'm definitely not comfortable messing around with FF's default setting unless I know what it will do. The only thing I did in this case was disable prefetching.

I use Secunia PSI to make sure mine is current.

Thanks, I'll look that up.

Caveat: NoScript, your AV, and my previous recommendations are no substitute for being cautious and using the Internet prudently, i.e. what's called "safe hex".

Absolutely. My surfing habits are what many would consider quite boring. That's what frustrates me about when I run into problems with malware. I think to myself that I did things by the book and I still ran into malware. I rarely even visit strange sites to begin with. I normally just stick to a familiar circuit of sites that I know are okay.

By the way, I actually had a similar problem(i.e. related in some way to iframes) before the iframeRef.gen thing. I am still worried about that too. That time, I clicked on a site out of personal interest, and I got a warning from MSE. In that case, it was, according to MSE, a TrojanClicker:HTML/Iframe.J. Explained by MS here: http://www.microsoft.com/security/porta ... 2fIframe.J
That happened about a month ago I think. I didn't want to get into it in my OP because the post was long already. But if anyone wants to share their thoughts on Iframe.J I'd be interested in hearing, as I am still worried about that one too.

Scan your system with MSE.

Came back clean.


Thanks again to all who responded.

Igwo ( Igwo = Ignorant Worried)

You're welcome.

Guest wrote:Are you saying in your quote shown above to not change the prefetch off?

Yes, don't bother turning Firefox prefetch off. Disabling it rarely fixes any problems and may slow down website navigation. It's been implemented and turned on by default in Firefox for oodles of years, since Fx 0.6. On the other hand, disabling it shouldn't actually break anything.
https://developer.mozilla.org/en/Link_prefetching_FAQ
http://kb.mozillazine.org/Network.prefetch-next

Igwo wrote:[prefetch] seems like it is the same concept as Vista's Superfetch (which has been turned off on my machine) only applied to browsing websites and thereby presenting security risks. The trade off between risk and performance just does not seem to justify this feature.

I'm glad to hear you don't get any more messages from MSE while doing your google search. Firefox prefetch does not present any security risk. Prefetched content is benign and a website can't mount an attack until you actually click on the link. Any problematic content that MSE happens to recognize at the time of prefetch would be blocked when the link is clicked anyway. Even if you clicked on a problematic website -- assuming you have a fully patched system -- it's unlikely that the website could compromise your computer. IMO, AV companies drum up a lot of business by loudly blocking things even when they aren't a problem. it angers me a little that that this "attack" has caused you needless worry. Just to clarify, I'm angry about overblown AV, not with you, and I respectfully disagree with you about the security of Firefox prefetch. Different strokes for different folks. Just ask therube what he thinks about AV.

Alan Baxter:

I doubt it did any harm, especially if the detected file was in Firefox's cache.

Thanks man. I feel better after reading that. BTW, is this related to the "sandbox" concept? Does this mean that Firefox's cache is relatively isolated from the rest of my system?

It's not related to sandboxing. Unlike IE, the content of Firefox's cache has obfuscated filenames. Its content cannot be executed directly out of the cache.

Do you still think that I'm okay even considering that I probably did click on a link and actually go to the malicious/hacked site originally?

Yes, for two reasons:
1) As I stated above, just visiting a malicious or hacked site rarely compromises a fully patched system. Most of these drive-by attempts try to exploit a known browser vulnerability that has already been patched.
2) Since the payload was one that MSE happens to recognize, even if it were successfully delivered MSE would have recognized and blocked any attempt to execute it.

Also, regarding the subsequent infection via Firefox's prefetching from google's search results:
At that point, iframes were disabled in NoScript(because I disabled it after the first incident with Iframeref.gen over a week ago). So even if iframes are disabled in NoScript, that does not prevent them from being loaded into Firefox's cache but rather just prevents them from running? Could you explain in what way NoScript is blocking iframes?

As far as I know, your understanding is correct, i.e. the contents of a web page are cached. NoScript blocks the actual execution of an iframe's contents if you have that non-default feature enabled. I don't bother blocking iframes. It breaks too much stuff and any malicious content is blocked by Firefox or NoScript's other defenses.

The only thing I did in this case was disable prefetching.

Disabling prefetch shouldn't cause any problems.

By the way, I actually had a similar problem(i.e. related in some way to iframes) before the iframeRef.gen thing. I am still worried about that too. That time, I clicked on a site out of personal interest, and I got a warning from MSE. In that case, it was, according to MSE, a TrojanClicker:HTML/Iframe.J. Explained by MS here: http://www.microsoft.com/security/porta ... 2fIframe.J
That happened about a month ago I think. I didn't want to get into it in my OP because the post was long already. But if anyone wants to share their thoughts on Iframe.J I'd be interested in hearing, as I am still worried about that one too.

Sorry, I can't add any thoughts about Iframe.J specifically, but I don't want you to worry. Since it was something that happened to be in MSE's database, you were protected from it in this case. If you were ever to get compromised -- which may never happen to you if you practice safe hex on a fully patched system -- it would probably be by something MSE doesn't detect.

Hope this was informative, interesting, or helped at all. I probably won't have time to reply further for another week or so. Good luck!

Just ask therube what he thinks about AV.

AV. What AV? Oops, I think I just answered your question .

Do you still think that I'm okay even considering that I probably did click on a link and actually go to the malicious/hacked site originally?

Yes, for two reasons:
1) As I stated above, just visiting a malicious or hacked site rarely compromises a fully patched system. Most of these drive-by attempts try to exploit a known browser vulnerability that has already been patched.
2) Since the payload was one that MSE happens to recognize, even if it were successfully delivered MSE would have recognized and blocked any attempt to execute it.

Not forgetting the third reason - the one that NS has always been here for:
3) The majority of naughty stuff gets delivered via scripting, which won't work if the site isn't whitelisted by NS anyway.

To an AV hammer resident in your system, everything in your browser is a nail.
To NS, resident in your browser, many real nails don't even need hammering.

Both comprise so-called layered defence which is always a good approach if you are ignorant and worried

Alan wrote: Yes, don't bother turning Firefox prefetch off. Disabling it rarely fixes any problems and may slow down website navigation. It's been implemented and turned on by default in Firefox for oodles of years, since Fx 0.6. On the other hand, disabling it shouldn't actually break anything.
https://developer.mozilla.org/en/Link_prefetching_FAQ
http://kb.mozillazine.org/Network.prefetch-next

Thank you very much for your reply.

Hi Alan,

Thank you for the additional information.

I probably won't have time to reply further for another week or so.

That's alright man. I appreciate your helping me.

Guest2,

Not forgetting the third reason - the one that NS has always been here for:
3) The majority of naughty stuff gets delivered via scripting, which won't work if the site isn't whitelisted by NS anyway.

To an AV hammer resident in your system, everything in your browser is a nail.
To NS, resident in your browser, many real nails don't even need hammering.

Both comprise so-called layered defence which is always a good approach if you are ignorant and worried

Thanks for your take on this. NS has been very beneficial to my peace of mind. Since I've started using NS, the rate at which my computer gets infected has become quite low. It is very, very, rare (and I think a lot of the very few infections my system has got, have been false positives).