Tuesday, November 10, 2009

Quick Reference Links To Fight Iframe Injections

I have had many requests from people reading my articles on combatting iframe injection attacks to create a quick start page with the various links one can use to detect and recover from iframe injection attacks.

These links are just a quick summary and you should read the full article to get the maximum benifits.

CHECKING TO SEE IF YOUR WEBSITE IS SAFE

a) http://www.google.com/safebrowsing/diagnostic?site=http://yourdomain_name

Copy and paste the above link into your browser and then replace "yourdomain_name" with your actual website name, e.g., websiteprotection.net

b) http://www.unmaskparasites.com/

IFRAME SCANNERS

a) http://www.diovo.com

Using notepad editor, you need to change the following line in the script:

$webpath ="Type your domain name here. Eg:http://www.diovo.com/"
which becomes:
$webpath ="http://www.yourdomain_name/
Where "yourdomain_name" is replaced with your actual domain name.
Test URL is:
http://www.yourdomain_name/clean.php?s=index.php&c=iframe
where:
s=webpage.ext

b) http://www.websanity.co.uk

Using notepad editor, change the following lines in the script as required:
define('IGNORE_EXTENSIONS',"jpg pdf zip psd doc gif swf xls"); // Ignore files of these types
define("IGNORE_BEFORE", strtotime('2009-08-01') );

c) Auto Scanner Scheduler: http://www.splinterware.com

FILE PERMISSIONS

CHMOD 444 to prevent writing to web page

IFRAME DE-OBFUSCATORS

a) http://www.novirusthanks.org

b) http://www.patzcatz.com

c) http://www.strictly-software.com

IFRAME UNPACKERS

a) http://matthewfl.com

b) http://blog.shimazu.org

c) http://www.strictly-software.com

IFRAME PACKER

For those who want to see how packing is done with a javascript packer.
Make sure to check the "Base62 encode" box or else it will not work.

http://dean.edwards.name/packer


You should use this quick guide after you have read all related iframe injection articles.

Don't forget that not all iframes are bad. Be sure before you delete.

Sunday, November 8, 2009

New Malicious iFrame Injection - Mal/Iframe-N

The Mal/Iframe-N appears to be the latest malicious iframe injection attack on websites. I had touched on this briefly in other articles combatting malicious iframe injection attacks.

Security researchers warn that this new injection attack has infected thousands of websites with malicious IFrames. In order to avoid detection, the malicious IFrames get their src attribute (their URL) through an "onload" JavaScript event.

Since releasing detection for Mal/Iframe-N, SophosLabs have seen a rising number of detections. Detections are now into the thousands of websites affected by this threat. Some of the sites hit are also well known.

Normally, malicious Iframe’s have the following form:

[iframe src='http://url/'width='1'height='1'][/iframe]

In the new attack there isn’t a direct "src=", they use "onload=" as follows:

[frame onload="if (!this.src){ this.src='http://url'; this.height=1; this.width=1;}"].

All the domains used so far have been based in Russia.

The tools being used to inject these Iframes are currently adding them to the end of legitimate HTML as shown below:

[html]
.
.
.
[/html]
[frame onload="if (!this.src).............

This usually attacks vulnerabilities in your software so make sure you install critical patches for popular software such as Adobe Reader, Flash Player, Java Runtime Environment, Microsoft Office or Windows itself.

You could also be infected with an obfuscated or packed javascript version of these malicious iframes.

More On Hidden Malicious Iframe Injections

If you have been reading my articles on combating malicious iframe injections, you will have noticed that these malicious iframes have a basic configuration as shown below:

[iframe src='http://url/'width='1'height='1'style='visibility: hidden;'][/iframe]

They have this configuration so that hackers can hide these unwanted iframes by making them invisible. The iframe is created with width and height of 1 pixel – visually it’s just a point. They also specify a style that makes it invisible: style='visibility: hidden;'

These iframes are invisible to web surfers but they can be detected in the HTML code of your web page.

To hide iframes in the HTML, hackers use obfuscated scripts. Apart from obfuscated scripts, hackers are now also using what is called packed javascripts. Packing javascripts is a good thing as it improves delivery and optimization. But, as always, these legitimate things can be used in a bad way to hide and insert malicious unreadable iframes into your web page. When you check the HTML code of such web pages you don’t see any iframes, just some JavaScript with unclear purpose with no URLs and suspicious words within it. And since many modern web pages contain dozens of third-party scripts (e.g. ads, statistics, widgets, etc.) webmasters usually overlook such scripts.

Let us take the previous malicious iframe example and pack it. It would look like the following:

eval(function(p,a,c,k,e,r){e=String;if(!''.replace(/^/,String)){while(c--)r[c]=k[c]||c;k=[function(e){returnr[e]}];e=function(){return'\\w+'};c=1};while(c--)if(k[c])p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c]);return p}('[02=\'3://4/\'5=\'1\'6=\'1\'7=\'8:9;\'][/0]',10,10,'iframe||src|http|url|width|height|style|visibility|hidden'.split('|'),0,{}))

If you look at the above code, it is hard to see if it is malicious or not. You will notice some words that appear suspicious, but may not be. Sometimes you may not see any suspicious text at all.

What you need to do is to unpack this compressed code when you are unsure whether the scripts being loaded are malicious or not.

One site you can visit to unpack these compressed codes is at:

http://www.strictly-software.com/unpack-javascript.aspx

Simply copy the complete code, eval(function........) and paste into the upper box. Click on the ""Unpack" button. The final result will be shown in the second box and should be the actual code which should now be completely readable. Once the code is readable, you need to make sure that it is malicious or not before you delete it.

To hide malicious code, hackers sometime encode their scripts multiple times, so that even if you execute such a script you’ll get just another obfuscated or compressed script. The malicious script decodes itself and creates another encoded script which in turn creates another hidden malicious iframe.

Further investigation on malicious iframes has shown that, antivirus vendor Sophos, warns that a new injection attack has infected thousands of websites with malicious IFrames. In order to avoid detection, the rogue IFrames get their src attribute (their URL) through an "onload" JavaScript event. Aside from the heavy obfuscation, this attack makes use of a specific trick to avoid Web scanners. More specifically, decoding the string will result in an IFrame that doesn't have a direct src value. It uses a javascript "Onload" function to generate it. The src usually points to a third party server that attempts to infect visitors with malware. This usually attacks vulnerabilities in your software so make sure you install critical patches for popular software such as Adobe Reader, Flash Player, Java Runtime Environment, Microsoft Office or Windows itself. When you unpack the code, look for this.

The battle against malicious iframe injections is a constant battle. It is also important to remember that not all iframes are bad. Before you remove a suspected iframe, make sure it is not relevant to your web page. You might want to download a copy of the web page before you do any deleting just to be sure if your are not certain.