Monday, March 17, 2008

IFRAME Attacks - Actions to be taken




The massive campaign against Internet websites is getting harder to be contained because the huge number of vulnerable websites which are not secured enough to face such kind of attacks. Mass IFRAME attacks against highly ranked sites made it a successful one. So as a system admin you have to raise the security bar in your network to prevent your clients from getting exploited and redirected to the malicious pages on those websites.

I've compiled a first-aid list to help you in this situation:

- Monitor outgoing DNS requests to the Internet, which bypass your local legitimate DNS server.

- Disable ActiveX

- Upgrade Internet browsers to latest the versions, IE 8 beta 1 or Firefox 3.

- Update the current Anti Virus (also check your Anti Virus server report and track not updating clients and fix their problems) and make sure it can detect Zlob variants.

- block clients from reaching the infected domains by using the following techniques:


  • URL filtering software (ex. Websense): block *all* of your clients from reaching malicious and porno sites. Add the new infected by the IFRAME attack to a custom group till they got fixed. Also filter any downloaded executable that contains the keyword “codec” for example, *codec*.exe

  • In this case block (porn-popular.com) and all request attempts to download (democodec1292.exe)

  • Firewall Rule: block all http/https request to the infected domains.

  • DNS redirection: create a DNS zone (call evil-websites) and add the domain records with bogus IP’s, such as 127.0.0.1

  • If you already running Snort, use this signature to detect the download of the fake codec executable:

    alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Likely Zlob variant Binary Requested (democodec1292.exe)"; flow:established,to_server; uricontent:"/democodec1292.exe"; nocase; classtype:trojan-activity; reference:url,http://ddanchev.blogspot.com/2008/03/more-high-profile-sites-iframe-injected.html; rev:1;)


  • patch your windows machines, and track this using WSUS (free) from Microsoft. Don't ever leave any system without the latest updates.

  • upgrade the installed softwares to the latest versions; treat them as the operating system patch process. RealPlayer and “Apple QuickTime Real-Time Streaming Protocol vulnerability” recently caused a lot of browser exploitation and got the client redirected to malicious sites.

  • keep your eyes on http://www.malwaredomains.com/ and add those domains in the FW blacklist or the URL filtering software and be proactive. This will close the door against any infection.

  • educate your users, by creating awareness sessions to show them how to evade such social-engineering based attacks. The weak link is the end user; train them to inform IT guys on anything strange while they are browsing, such as asking them to install this xyz antivirus to protect their machines, or that xyz video codec to watch the online video of Paris Hilton!