• IFRAME-based Web-Malware

    The IFRAME element, part of the HTML specification, continues to be a favorite attack vector for malicious hackers. Loading malicious payload by means of an IFRAME is an extremely easy and effective. Attackers infect and compromise websites and use them to infect other websites by loading malware from external locations, like other hacked sites. Think of it as a chain of malware propagating from one infected website to another.

    Since March 2011, one of the most popular IFRAME injection attack campaigns used the URLs we list below. We have recorded many websites infected by malware as part of this IFRAME injection attack.

    What links are injected?
    Some of the most popular pieces of malware are being injected in IFRAME elements.

    Samples are listed below:

    iframe src="hxxp://videoonlinefree.co.cc/hck"
    iframe src="hxxp://quadmatrix.co.cc/download/" <!-- can be injected within a DIV -->
    iframe src="hxxp://join4freemoney.co.cc/"
    iframe src="hxxp://hentai-3d-gifs.co.cc"
    iframe src="hxxp://Allisson-Lozz.co.cc"
    

    Recent TimThumb hacks include the following malware links:

    iframe src="hxxp://blluerebadunn.us.to/kwizhveo.php"
    iframe src=“hxxp://sexyyjeannetteh.us.to/kwizhveo.php” 
    iframe src="hxxp://seeven71.us.to/kwizhveo.php"
    iframe src="hxxp://gufmaurr79.us.to/kwizhveo.php"
    iframe src="hxxp://cooldeliia97.us.to/kwizhveo.php"
    iframe src="hxxp://bastalevarrga.us.to/kwizhveo.php"
    iframe src="hxxp://sexyjju88.us.to/kwizhveo.php"
    iframe src="hxxp://heidiheernande.us.to/kwizhveo.php"
    iframe src="hxxp://blaackhatt58.us.to/kwizhveo.php"
    iframe src="hxxp://coolerikpowwel.us.to/kwizhveo.php"
    iframe src="hxxp://freeagcoll.us.to/kwizhveo.php"
    iframe src=“hxxp://nightllup80.us.to/kwizhveo.php”
    iframe src="hxxp://prettyrosseande.us.to/kwizhveo.php"
    

    How do I protect my site?
    Webmasters and administrators should search for instances of each malicious link in their sites to ensure that they remove all occurrences of the injected links. More importantly, it is critical to identify the vulnerability that allowed the site compromise and ultimately the IFRAME injection.

    StopTheHacker.com customers are protected against these kind of threats. If you would like more information on how to protect your website, please feel free to contact us. You can also visit our services page to protect your website right now.

    Till next time…

    • […] advertisements are then displayed to the user and a redirection to many sites we listed in our last post may […]

      Posted by TimThumb Malware – stopthehacker.com – Jaal, LLC on August 30th