ThreatSTOP Blog

iFrame droppers and other drive-bys: how ThreatSTOP protects you.

Written by tombthreatstop | May 10, 2010

Someone forwarded me an article from CSO Online about how the US Bureau of Printing and engraving was being used do deliver malware via an iFrame.

Seems the smart guys over @ AVG found this. https://www.bankinfosecurity.com/treasury-websites-reportedly-hacked-a-2486

This is the sort of thing that ThreatSTOP is tailor made to protect against. While the infected websites, domain names, urls, and code used by attackers vary widely; most of the time, they have to connect back to some relatively small subset of often used sites that are under the crackers control. In this case, the IP address: 188.124.16.133 has been used repeatedly to drop malware.

If you have ThreatSTOP on your firewall, even if you visit a site that has this sort of compromise, there's a very good chance that the IP it is going to redirect you to will have been "made" by our sensors or analysts, and so, even if you click on the infected site, all you will see is a broken link; instead of a deluge of attacks.

For the average end user, this represents a minor inconvenience most of the time, or at worst the need to run a cleaner from one of the many very good researchers (including AVG).

For the average company, this can prevent a disaster, as the network pipes get clogged with the exploit traffic, computers get turned into bots that send spam, resulting in your IP being blacklisted by the RBLs, and  IT spends the hours of time it takes to remediate.

ThreatSTOP isn't perfect, but we do protect, in real time, against emerging attacks; and by blocking the call home to the cybercriminal mother ships, give you that "last chance" to prevent compromise.

You have a firewall, make it smarter. Check out ThreatSTOP @ http://www.threatstop.com