Another day, another batch of compromised web sites. One of the attacks over the weekend with a touch of irony. The web site of a firm selling various 'Classy Themes' for both personal and company websites seem to have had their own site compromised. Hackers have managed to inject a malicious iframe into an ASP script that is used to load the previews of the templates they have for sale. A view of the attack is shown in the image below (click to enlarge, and ensure you click again to maximize the image in your browser window).
Each node in the picture represents a web page (the domain names of the sites have all been obfuscated). Arrows between the nodes indicate some relationship:
- green arrow: iframe
- red arrow: exploit
- solid line: between different domains
- dotted line: between files on the same domain
The picture is typical for what we see in many of todays web attacks, lots of compromised pages linking to some 'central' attack site, which exploits browser vulnerabilities to infect the victim.
- Various pages of the compromised site (hosted in the US) contain a malicious iframe (detected as Mal/Iframe-F)
- The iframe loads content from an attack site (highlighted in yellow) in China. The malicious script on this attack site is detected as Mal/Psyme-A
- The Mal/Psyme-A script attempts to exploit a browser vulnerability to install a Trojan (added as Troj/Agent-GDM).
Interestingly, at this point, we have not seen any other sites compromised in the same way, but I doubt the attack was targeted. More likely, we just have not happened across similarly compromised sites.
As described before (1,2), the injection of malicious iframes (either directly, or via an injected script that writes it to the document) is the most common way of compromising sites nowadays in order to infect unsuspecting victims. The system we have developed to automatically analyze web attacks enables us to identify compromised and attack sites quickly, and ensure we detect all the relevant parts of the threat. Importantly, it also enables us to block access to malicious URLs for customers using the web appliance.