Blog de Zscaler

Reciba en su bandeja de entrada las últimas actualizaciones del blog de Zscaler

Suscribirse
Security Research

Injecting Malicious HTML IFrames – Still A Popular Attack Vector

image
THREATLABZ
March 01, 2011 - 2 Min de lectura
Injecting malicious HTML IFrames into the legitimate web pages has become a commonplace technique in web based attacks. We recently came across another website that is infected with a malicious IFrame. Further research shows that the same malicious IFrame used in this website was also used to infect a number of other legitimate websites. Here is the main page of the infected site:

Image

 

 

 

The page itself provides no visible indication of infection, but if you look at the source of the webpage, you will notice a malicious IFrame injected under the Latest News section. Here is the source of page,

Image

 

 

 

The malicious IFrame points to “hxxp:// nutcountry.ru:8080/index.php?pid=13” which is currently down. By taking the advantage of known/unknown vulnerabilities, attackers have injected malicious IFrames into many legitimate web pages. In this particular case, not only the home page is infected, but all the other pages on the site are infected. This likely indicates that the attacker used a SQL injection vulnerability to inject the malicious IFrame into the backend database from which webpages are dynamically generated. A quick search on Google reveals a significant number of websites infected with with the same IFrame. Here is screenshot of the search results:

Image

 

 

 

Another search reveals that Google has begun to proactively warn users about some of the pages associated with this attack.

Image

 

 

 

You will note that the search results include ~85k sites which suggests that this particular attack was very broad in scope. This attack also appears to have leveraged persistent XSS (Cross Site Scripting) vulnerabilities to inject malicious IFrames into the comment sections of various web forums. Here is a screenshot of one such website:

Image

 

 

 

Here is a list of malicious IFrames associated with this attack that you should block:

 

hxxp:// nutcountry.ru:8080/index.php?pid=13

 

hxxp:// parkperson.ru:8080/index.php?pid=13

 

hxxp:// blockoctopus.ru:8080/index.php?pid=13

 

hxxp:// nemohuildiin.ru/tds/go.php?sid=1

 

hxxp://vamptoes.ru:8080/index.php?pid=13

 

hxxp://www.bindispute.ru:8080/index.php?p13

 

hxxp://www.bellday.ru:8080/index.php?pid=13

 

Attackers are continuing to take advantage of the poor security in web applications by writing utilities that are capable of infecting large numbers of sites in short period of time due, which in turn translates to thousands of victims with minimal effort.

 

Umesh

form submtited
Gracias por leer

¿Este post ha sido útil?

Reciba las últimas actualizaciones del blog de Zscaler en su bandeja de entrada

Al enviar el formulario, acepta nuestra política de privacidad.