New Code Injection Assault Widely Targeting Websites

Ever since Mal/Iframe-N detected on October 21, 2009, cyber security researchers at SophosLabs have reported of observing an increasing number of infections from a freshly launched code injection attack that corrupted several websites with malevolent IFrames.

Sophos malware analysts first detected the infection on music star Van Morrison's website.

The researchers said that Morrison's website was presently harboring code. This code made efforts to introduce the Mal/iframe-F assault to web-page of the singer using some other website when Web surfers browsed the URL to download stuffs. In case users downloaded an Adobe's PDF file and an ActiveX control, which VanMorrison.com prompted them to do, it resulted in their systems getting infected, the researchers explained.

They further said that the attack was made more sophisticated by unleashing it through an obfuscated code inserted into the web-page. This web page connected to a malicious iframe but didn't support iframe's infection directly.

Mr. Baccas, Spam and Virus Researcher at SophosLabs, declared that the code had infected websites counting to several thousands of which some were extremely reputed, as reported by SoftPedia on October 26, 2009.

To bypass detection, the malicious IFrames obtain the necessary scr i.e. source attribute (which defines the document's URL for showing up within an Iframe) by loading of a JavaScript. Normally, it happens that the scr links with an exploit toolkit hosted on third party (intermediate) servers and which abuses obsolete software vulnerabilities to spread infection among visitors. Mr. Baccas notes that as per reports, whatever domains have been utilized so far are all located in Russia.

Exploiting the web has been an oft-used and successful technique for malware distribution, prompting cyber criminals to continuously invest into these assaults. Actually, the success has been attributed to users' large-scale failure in loading critical patches that fix vulnerabilities in Microsoft Office, Windows OS, Adobe Flash Player, Reader and Java Runtime Environment.

The researchers said that while the technique for injecting the code was still undetermined, one thing was evident that the hackers placed the Iframe at the page's end, next to the </html> part.

Related article: New Zealand Releases Code To Reduce Spam

» SPAMfighter News - 11/6/2009