Search This Blog

Showing posts with label IFrame Injection. Show all posts

Random Iframe injection attack, redirects to malicious sites

Random iframe injection

A number of websites are infected and contains iFrame pointing to random domains. The iFrame redirects users to malicious websites, warned by Security researcher Daniel Cidt.

Cyber Criminals inject a php code inside vulnerable websites instead of injecting the iFrame directly on the pages. The php code generates iFrame pointing to random domains.

According to Sucuri blog post, the domains are changing every few hours. It seems like the domain is being generated by changing numbers in the domain name('directsX.ru'). Here, the 'X' is a three digit number starts from 000.

Once this iFrame is generated, it redirects users to another random domains. This domain contains more iFrame pointing to few other domains. 

Once the secondary domains are loaded, it redirects the browser back to the directsX.ru domain to distribute the traffic (SutraTDS/Traffic Distributions System).

This Traffic Distribution System (TDS) redirects the user randomly to malicious sites including malware , Pornography sites. When i analyzed one of the site, it redirects me to a Redkit exploit kit page.

Mass Iframe injections used to drive traffic | Traffic Direction System[TDS]


Security Researchers of Sophos noticed the rise in the volume of Mal/Iframe-Gen detections. A Number of sites infected using the Iframe Injection technique. These infected sites are used to drive traffic to another websites(mostly malware sites).


Despite the obfuscation, Sophos products proactively block these malicious scripts as Mal/Iframe-Gen. As suggested from the threat name, the payload of the injected script is to write an iframe to the page:

The iframe points to what appears to be a 'middleman' server, used to bounce the traffic elsewhere. This is commonly known as a Traffic Direction System (TDS). The TDS server is under the control of the attackers, enabling them to configure it to redirect user traffic to wherever required.

At first the Iframe Injection redirects to a freshly registered domain (hosted in Germany). However, the page was unavailable, with all requests getting a 404 error. This was a little surprising given that the attack was new (you expect 404s for old, stale attacks where the compromised sites persist long after the target payload servers have been shut down).

Later the TDS server was updated to redirect the traffic to a new destination. At the time of writing it is redirecting the traffic to a Blackhole exploit pack site, where the victim is bombarded with the usual Flash, Java and PDF exploits.

The illustration below gives an overview of this attack, and the role that the TDS server plays in it.

This attack provides us with a perfect illustration of how user traffic is a commodity. Once they have injected numerous sites to redirect to their TDS, the attacker can essentially sell that user traffic to interested parties, willing to pay for victims to hit their exploit sites.

As ever, protection from this form of attack consists of several components:
  • detection of the malicious redirects injected into the legitimate sites (in this case, proactive detection as Mal/Iframe-Gen).
  • URL filtering to block requests to the TDS. Thus far, a few different servers are being used in these attacks.
  • URL filtering to block requests to the final destination servers.
  • detection of the exploit site itself (Mal/ExpJS-N) and the various malicious files it uses.
  • detection of the final payload (which will vary as the final destination server changes).
  • if all else has failed, runtime protection (HIPs) to catch the malicious payload running on the victim's machine.

Another Mass IFrame Injection Attack |350,000 ASP sites infected

 Another Mass Iframe Injection Attack detected by armorize.com Researchers.  On july, They detected the Mass Iframe injection that infected the 90000 websites. Looks like this time the number of sites is increased.   350,000 websites infected by Malware.  Also they targeted the website that are developed using ASP.net.


As per the Google result, there is 180,000 websites infected by this Iframe injection attack. They targeted victims who use 6 particular language:English, German, French, Italian, Polish, and Breton in their websites.
If you want to check the list of Infected sites, then do google search as "http://jjghui.com/urchin.js".  Never click the website that return by google after this search.  It will launch the malware attack.

Malware Infection:
The Malicious scripts inserted inside the victims website causes the visiting browser to load an iframe first from www3.strongdefenseiz.in and then from www2.safetosecurity.rr.nu.
Multiple browser-based drive-by download exploits are served depending on the visiting browser.

When the user is redirected to the malware server, it will server to the visitors. The malware will be automatically installed without your knowledge. This is if they have outdated browsing platforms (browser or Adobe PDF or Adobe Flash or Java etc).

Currently, the 6 out of 43 antivirus vendors on VirusTotal can detect the dropped malware.

jjghui.com resolves to IP 146.185.248.3 (AS3999), which is in Russia. www3.strongdefenseiz.in resolves to 75.102.21.121 (AS36352), which is in the US and hosted by HostForWeb.com. www2.safetosecurity.rr.nu resolves to IP 67.208.74.71 (AS33597), which is in the US and hosted by InfoRelayOnlineSystems.

The dropped malware attempts to connect to: 65.98.83.115 (AS25653), which is in the US.


IFrame Injection:
They inserted the Iframe inside the webpage using the web application vulnerability. like this:
<script src="Link_to_malicious_script"></script>

This inserts the malicious javascript inside website.  This malicious script generates an iframe to www3.strongdefenseiz.in, which gives an HTTP 302 redirect to the exploit server at www2.safetosecurity.rr.

Security Tips from BreakTheSecurity.com to Web Masters:
If your site also infected, then delete all files from your server. I hope you have backup of your website contents. Install the Latest Antivirus in your system. Verify your code before uploading.

Blogger Theme website has IFrame Injection vulnerability



Blogger Theme website has IFrame Injection vulnerability , discovered by Minhal Mehdi (an Indian Hacker).

bloggertheme.net is one of famous Blogger templates provider.

Vulnerable Link:
http://bloggertheme.net/demo/demo.html?iframe=

Demo:
http://bloggertheme.net/demo/demo.html?iframe=www.google.com

This vulnerability may result in malware attacks.

Vulnerability status: UnFixed

Iframe Vulnerability found in Google App Engine

An Indian Hacker "Ethical Mohit" have found in Iframe Vulnerability in Contact Desk page of Google App Engine (Appspot).

#1 Proof of Concept : Click Here
#2 Proof of Concept : Click Here

Google App Engine lets you run your web applications on Google's infrastructure. App Engine applications are easy to build, easy to maintain, and easy to scale as your traffic and data storage needs grow. With App Engine, there are no servers to maintain: You just upload your application, and it's ready to serve your users.Google App Engine makes it easy to build an application that runs reliably, even under heavy load and with large amounts of data.

[source]

IFrame Injection Vulnerability found in FileHippo website

Filehippo is one of the top free software downloads provider is vulnerable to iframe injection vulnerability.

A hacker with handle n3t phir3 identified the vulnerability and report to E Hacking News.

Here is the screenshot that shows the existence of vulnerability:




POC Code for the ifrmae injection:
http://www.filehippo.com/search?q="><iframe src=http://www.google.com height=400 width=400>