Advertisement
unixfreaxjp

False Positive for some advertisement IFRAME "JS/iFrame.cqo"

Mar 12th, 2012
249
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. These are the url verdicted as malicious.
  2. yes it is using the IFRAME, yes in used the obfuscation.
  3. But I don't see any payload, nor malicious infection, EXCEPT some pop-ups banner of advertisements, some script counters and SEO analytics javascript instead.
  4.  
  5. These are the urls:
  6. hxxp://mahogany100611n.blog.so-net.ne.jp/2012-02-13-16
  7. hxxp://healthnews09251.blog.so-net.ne.jp/archive/20111117
  8. hxxp://larceny081911ne.blog.so-net.ne.jp/2011-10-09
  9. hxxp://flowerdeliverie.blog.so-net.ne.jp/archive/20111103
  10. hxxp://squamouscell092.blog.so-net.ne.jp/2011-11-09
  11.  
  12. For your conveniences here's I paste one of the urls analysis above:
  13.  
  14. <iframe src=
  15. "http://lostwebtracker.com/?if=1&scr_w=1024&scr_h=768&blog=http%3A//mahogany100611n.blog.so-net.ne.j
  16. p/2012-02-13-16&ref=&l=celebrity" height="1" width="1"></iframe>
  17.  
  18. (repeated 1 time)
  19.  
  20. <iframe src=
  21. "http://green-tracker.com/?if=1&scr_w=1024&scr_h=768&blog=http%3A//mahogany100611n.blog.so-net.ne.jp
  22. /2012-02-13-16&ref=&l=celebrity" height="1" width="1"></iframe>
  23.  
  24. (repeated 1 time)
  25.  
  26. <div class="bookmark"><ul>
  27.  
  28. (repeated 1 time)
  29.  
  30. <li><a href="http://twitter.com/share" class="twitter-share-button" data-url=
  31. "http://mahogany100611n.blog.so-net.ne.jp/2012-02-13-16" data-text=
  32. "Barbie as Britney Spears in Toxic ^_^. I know, I know that the outfit is not ...?Barbie as Britney
  33. Spears in Toxic ^_^. I know, I know that the outfit is not ...:Beny's blog:So-net???" data-count=
  34. "none">Tweet</a><script type="text/javascript" src="http://platform.twitter.com/widgets.js"></script>
  35. </li>
  36.  
  37. (repeated 1 time)
  38.  
  39. <li><style>.mixi-check-button img { border:0;margin-right:2px;}</style><a href=
  40. "http://mixi.jp/share.pl" style="border: none" class="mixi-check-button" data-key=
  41. "8ca2c5d782d92e3b37ea8fb3b469bd7c3e963d41" data-button="button-1" data-url=
  42. "http://mahogany100611n.blog.so-net.ne.jp/2012-02-13-16">mixi check</a><script type=
  43. "text/javascript" src="http://static.mixi.jp/js/share.js"></script></li>
  44.  
  45. (repeated 1 time)
  46.  
  47. <li><a href=
  48. "http://b.hatena.ne.jp/entry/http%3A%2F%2Fmahogany100611n.blog.so-net.ne.jp%2F2012-02-13-16" class=
  49. "hatena-bookmark-button" data-hatena-bookmark-layout="standard" title="????????????????????"><img
  50. src="http://b.st-hatena.com/images/entry-button/button-only.gif" alt="????????????????????" width=
  51. "20" height="20" style="border: none;" /></a><script type="text/javascript" src=
  52. "http://b.st-hatena.com/js/bookmark_button.js" charset="utf-8" async="async"></script></li>
  53.  
  54. (repeated 1 time)
  55.  
  56. <script src="https://apis.google.com/js/plusone.js">{
  57. lang : 'ja'
  58. }
  59. </script>
  60.  
  61. (repeated 1 time)
  62.  
  63. <li><g:plusone size="medium" href="http://mahogany100611n.blog.so-net.ne.jp/2012-02-13-16" count=
  64. "false"></g:plusone></li>
  65.  
  66. (repeated 1 time)
  67.  
  68. <li><iframe src=
  69. "http://www.facebook.com/plugins/like.php?href=http%3A%2F%2Fmahogany100611n.blog.so-net.ne.jp%2F2012
  70. -02-13-16&amp;layout=button_count&amp;show_faces=true&amp;width=110&amp;action=like&amp;colorscheme=
  71. light&amp;height=20" scrolling="no" frameborder="0" style=
  72. "display:inline; border:none; overflow:hidden; width:110px; height:20px" allowTransparency="true">
  73. </iframe></li>
  74.  
  75. (repeated 1 time)
  76.  
  77. </ul></div>
  78.  
  79. (repeated 1 time)
  80.  
  81. <div id="square-under-1"></div>
  82.  
  83. (repeated 1 time)
  84.  
  85. <iframe name="maad" src=
  86. "http://match.seesaa.jp/ot_square.pl?hid=14&sid=mahogany100611n:10000006590014&tid=101_sonet&c=3&bg_
  87. c=ffffff&bg_reverse_c=fff7d7&title_c=2200cc&text_c=333333&border_c=ffffff&link_c=008000&sponsor_c=00
  88. 0000&referer=&frame_type=0"
  89.  
  90. (repeated 1 time)
  91.  
  92. width="156" height="378" scrolling="no" frameborder="no" marginwidth="0" marginheight="0" allowTran
  93. sparency="true"></iframe>
  94.  
  95. (repeated 1 time)
  96. ----
  97. ZeroDay Japan
  98. http://0day.jp
  99. Malware Analyst: Hendrik ADRIAN / アドリアン・ヘンドリック
  100. Twitter/VirusTotal/Google: @unixfreaxjp
  101. Analysis Blog: http://unixfreaxjp.blogspot.com
Advertisement
RAW Paste Data Copied
Advertisement