More on hidden malicious iframe injections

Malicious iframes have a basic configuration as shown below:

[iframe src= url/ width=1 height=1 stye=visibility: hidden;][/iframe]

They have this setting so that hackers can hide these unwanted iframes by making them invisible. The iframe is created with a width and a height of 1 pixel, visually it is just one point. They also specify a style that makes it invisible: hidden; ‘

These iframes are invisible to Internet users, but can be detected in the HTML code of your web page.

To hide iframes in HTML, hackers use obfuscated scripts. In addition to obfuscated scripts, hackers now also use what are called packed javascripts. Packaging javascripts is a good thing, as it improves delivery and optimization. But, as always, these legitimate things can be misused to hide and embed malicious unreadable iframes on your web page. When you check the HTML of such web pages, you don’t see any iframes, just some unclear purpose JavaScript with no URLs and suspicious words within it. And since many modern web pages contain dozens of third-party scripts (eg, ads, statistics, widgets, etc.), such scripts are often overlooked by webmasters.

Let’s take the malicious iframe example above and package it. It would look like the following:

eval (function (p, a, c, k, e, r) {e = String; if (! ”. replace (/ ^ /, String)) {while (c -) r[c]= k[c]|| c; k =[function(e){returnr[e]}]; e = function () {return ‘ w +’}; c = 1}; while (c -) if (k[c]) p = p.replace (new RegExp (‘ b’ + e (c) + ‘ b’, ‘g’), k[c]); returnp} (‘[02=’3://4/’5=’1’6=’1’7=’8:9;’][/0]’, 10,10,’ iframe || src | http | url | width | high | style | visibility | hidden’.split (‘|’), 0, {}))

If you look at the code above, it is difficult to see if it is malicious or not. You will notice some words that seem suspicious, but may not be. Sometimes you may not see any suspicious text.

What you should do is unzip this compressed code when you are not sure whether the loaded scripts are malicious or not. A site you can visit to unzip these compressed codes is at: http://www.strictly-software.com/unpack-javascript.aspx

Just copy the entire code, eval (function ……..) and paste it into the top box. Click the “Unpack” button. The final result will be displayed in the second box and it should be the actual code which should now be fully readable. Once the code is readable, you need to make sure it is malicious or not before removing it.

To hide malicious code, hackers sometimes encode their scripts multiple times, so that even if you run such a script, you will get only another obfuscated or compressed script. The malicious script decodes itself and creates another encrypted script which in turn creates another hidden malicious iframe.

Further investigation into malicious iframes has shown that antivirus vendor Sophos is warning that a new injection attack has infected thousands of websites with malicious IFrames. To avoid detection, fake IFrames get their src attribute (their URL) through a JavaScript “onload” event. Apart from the great obfuscation, this attack makes use of a specific trick to avoid web scanners. More specifically, decoding the string will result in an IFrame that does not have a direct src value. It uses a javascript “Onload” function to generate it. The src usually points to a third-party server that tries to infect visitors with malware. This generally targets vulnerabilities in your software, so be sure to install critical patches for popular software such as Adobe Reader, Flash Player, Java Runtime Environment, Microsoft Office, or Windows itself. When you unzip the code, look for this.