TrustedSource™ Blog

Iframes and infected web pages

Every now and then it happens that legitimate web sites are compromised. In today’s environment, this doesn’t mean that there is a script kiddy wanting to deface a web site for notoriety. Today, these compromised websites look like they did before.  Usually the drive-by infection goes unnoticed - the malware authors don’t want to attract too much attention.

For example take a look at this russian web site, “restorant***.ru”:

As you can see, you don’t see anything, right? But the evil lies within the source code of this web site. Most infections are just invisible references to external sources.  A quick look shows that there is more:

Right at the top, just before the first <html> tag starts, there is a ‘hidden’ IFRAME pointing to an external ressource. Luckily, Webwasher Anti-Malware already blocks the whole web page as ‘Script.Infected.WebPage.Gen’ and stops the infection right at the start.

But when you’d follow the target and want to see how deep the rabbit hole goes, someone comes accross more IFRAMEs, simple HTTP redirections and finally ends at an encrypted JavaScript, which seems to be from an MPack-based exploit kit. This JavaScript is just a simple XOR decoder loop, which hides the real exploits (MDAC etc., the usual MPack arsenal).  This in turn trys to infect the visitor with a password-stealing trojan, also known as “Infostealer” (aka ‘Wsnpoem’, aka ‘ntos.exe’) and blocked by Webwasher Anti-Malware as ‘Trojan.Spy.Broker.N.102′.

Back to TrustedSource™ Blog overview