New developments evolution of malcode hidden iFrame attacks.......
JavaScript and iFrames are the main vectors for attackers to hide malicious software unto hacked legit websites,
but the development of malicious iFrames goes on...
First there were the hidden iFrames that silently would load exploits from the malicious link they directed to.
without the visitors of a legit website beings aware of this going on. Like JS/Wonka infections in the past,
we wrote the year 2005:
http://www.wilderssecurity.com/archive/ ... 02953.html
IFrames will enable content to be loaded from other sites,
without the visitors of a site having to leave the iFrame.
The main reason to use this technology is to show adverts like with for example Google Adsense does.
A tiny flicker
IFrames normally have certain dimensions,
but one can also give in a zero dimension.
At first malicious attackers used this method,
so those that wanted to secure their sites against these were on the lookout for zero iFrames.
This is the most common method to insert malicious link and suspicious site.
Modal:
Code: Select all
"<iframe src=http://***** width=0 height=0></iframe>"
Sample Code(JS): only measuring up to a few pixels or using the “visibility: hidden” function,
that does not show the iFrame inside the browser, but does load the content.
For this type read: http://blog.unmaskparasites.com/2009/01 ... injection/
A month ago attackers started using iFrames that lacked the code to be visible alltogether.
As a result these iFrames are not shown inside the browser.
"The trick to do that was placing a visible iFrame within a hidden div",
according to security researcher Denis Sinegubko.
In the mean time a newer technique is being applied,
where attackers will inject iFrames that lack both src-parameters
like dimension- and style parameters, that tell from where the page is to be loaded.
These will be added through an onload-event using JavaScript,
making some short of " tiny flicker" visible on the screen.
"In this way attackers hide their iFrames for scanners
that look for hidden iFrames or iFrames of suspicious origin."
re: http://blog.unmaskparasites.com/2009/10 ... n-iframes/
There is still another method using a setTimeout() to delay the hide.
If after the delay the mouse is focusing the iframe, the hide function is not triggered.
This could be masqueraded further to be used maliciously...(luntrus)
Code: Select all
content="text/javascript">
<script type="text/javascript">
var stat;
var delay=2000;//delay in milliseconds
function show(){
var oIfr = document.getElementById('ifr');
oIfr.style.display=(oIfr.style.display=='block')?'none':'block';
}
function hide(){
stat = setTimeout('show()',delay)
}
onload=function(){
var dIfr = document.getElementById('ifr').contentWindow.document.documentElement;
dIfr.onmouseover = function(){parent.clearTimeout(parent.stat)}
dIfr.onmouseout = function(){parent.hide()}
}
</script>
</head>
<body>
<span onmouseover="show()" onmouseout="hide()">showhide</span>
<br>
<br>
<iframe src="iframe.html" id="ifr" style="display:none"></iframe>
</body> it cannot harm you.....
luntrus
