Searching serves malware: Mal/Iframe-Gen on an insurance site

Filed Under: Malware, SophosLabs

At the beginning of the month I spotted a specialist US insurer's website infected with Mal/Iframe-Gen.

The detection name alerted me to the fact that the page should contain obfuscated JavaScript because, this identification relies upon the JavaScript emulation within Sophos's detection engine (see "Malware with your mocha?").

When I initially downloaded the reportedly infected webpage I saw no obfuscated JavaScript.


wget infected.site

However, when I investigated more deeply I did see the malicious code. The difference in the two scans was that my second scan had a referer (section 14.36 Referer) set.

When I downloaded the site again with:


wget --referer="search engine" infected.site

I would see at the top of the HTML page some obfuscated JavaScript:

Obfuscated JavaScript

The eagle-eyed amongst you will recognise the script is obfuscated with the (in)famous Dean Edward's packer. When this script is de-obfuscated you are presented with an iFrame pointing to a domain with the TLD "co.cc" with small attributes.

Cocos Keeling IslandsThe TLD .cc represents the Cocos (Keeling) Islands an obscure island grouping in the Indian ocean.

Ever since the "co.cc" domains have been available for registration, the researchers at SophosLabs have seen them being abused heavily by malware and used in spam campaigns.

So why is this site serving malware when you get to it via a search site?

Well the most likely culprit is a compromised .htaccess file. We have seen modified .htaccess files before (See "dot ht what? More Fake Alert trickery" and "Troj/PHPMod-A Troj/JSRedir-R attacks").

To modify the .htaccess file the attacker is likely to have had more access than a simple SQL injection - previous cases we have investigated have been tracked down to compromised FTP passwords.

The malicious attacker uses this technique because it makes finding the offending code more difficult for the website's administrators and security professionals.

After all, they know the website URL and don't need to search for it.

,

You might like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul O Baccas (aka pob) joined Sophos in 1997 after studying Engineering Science at Oxford University. After nearly 16 years, he has left Sophos to pastures new and will be writing as an independent malware researcher. Paul has: published several papers, presented at several Virus Bulletins and was a technical editor for "AVIEN Malware Defense Guide". He has contributed to Virus Bulletin and is a frequent contributor to the NakedSecurity blog.