Sunday, November 8, 2009

New Malicious iFrame Injection - Mal/Iframe-N

The Mal/Iframe-N appears to be the latest malicious iframe injection attack on websites. I had touched on this briefly in other articles combatting malicious iframe injection attacks.

Security researchers warn that this new injection attack has infected thousands of websites with malicious IFrames. In order to avoid detection, the malicious IFrames get their src attribute (their URL) through an "onload" JavaScript event.

Since releasing detection for Mal/Iframe-N, SophosLabs have seen a rising number of detections. Detections are now into the thousands of websites affected by this threat. Some of the sites hit are also well known.

Normally, malicious Iframe’s have the following form:

[iframe src='http://url/'width='1'height='1'][/iframe]

In the new attack there isn’t a direct "src=", they use "onload=" as follows:

[frame onload="if (!this.src){ this.src='http://url'; this.height=1; this.width=1;}"].

All the domains used so far have been based in Russia.

The tools being used to inject these Iframes are currently adding them to the end of legitimate HTML as shown below:

[frame onload="if (!this.src).............

This usually attacks vulnerabilities in your software so make sure you install critical patches for popular software such as Adobe Reader, Flash Player, Java Runtime Environment, Microsoft Office or Windows itself.

You could also be infected with an obfuscated or packed javascript version of these malicious iframes.

No comments:

Post a Comment