Searching serves malware: Mal/Iframe-Gen on an insurance site

by Paul Baccas on December 21, 2010 | Leave a comment

Filed Under: Malware, SophosLabs

At the beginning of the month I spotted a specialist US insurer's website infected with Mal/Iframe-Gen.

The detection name alerted me to the fact that the page should contain obfuscated JavaScript because, this identification relies upon the JavaScript emulation within Sophos's detection engine (see "Malware with your mocha?").

When I initially downloaded the reportedly infected webpage I saw no obfuscated JavaScript.


wget infected.site

However, when I investigated more deeply I did see the malicious code. The difference in the two scans was that my second scan had a referer (section 14.36 Referer) set.

When I downloaded the site again with:


wget --referer="search engine" infected.site

I would see at the top of the HTML page some obfuscated JavaScript:

Obfuscated JavaScript

The eagle-eyed amongst you will recognise the script is obfuscated with the (in)famous Dean Edward's packer. When this script is de-obfuscated you are presented with an iFrame pointing to a domain with the TLD "co.cc" with small attributes.

Cocos Keeling IslandsThe TLD .cc represents the Cocos (Keeling) Islands an obscure island grouping in the Indian ocean.

Ever since the "co.cc" domains have been available for registration, the researchers at SophosLabs have seen them being abused heavily by malware and used in spam campaigns.

So why is this site serving malware when you get to it via a search site?

Well the most likely culprit is a compromised .htaccess file. We have seen modified .htaccess files before (See "dot ht what? More Fake Alert trickery" and "Troj/PHPMod-A Troj/JSRedir-R attacks").

To modify the .htaccess file the attacker is likely to have had more access than a simple SQL injection - previous cases we have investigated have been tracked down to compromised FTP passwords.

The malicious attacker uses this technique because it makes finding the offending code more difficult for the website's administrators and security professionals.

After all, they know the website URL and don't need to search for it.

Tags: ,

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title="" rel=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <pre> <q cite=""> <strike> <strong>

About the author

Paul O Baccas joined Sophos in 1997 after studying Engineering Science at Oxford University. Currently, he is employed as a Senior Threat Researcher, SophosLabs UK, with areas of interest including: non-PE malware, spam, data leakage, linux and Mac threats. Paul has published several papers, and was a technical editor for the "AVIEN Malware Defense Guide." He has written articles for security industry journal Virus Bulletin and is a frequent contributor to the Naked Security site.