Defensive Iframing

The other day I came across an interesting piece of malicious Javascript. Whilst investigating a whole slew of web pages compromised in a fairly large attack, I noticed there were two malicious scripts added to the pages (both heavily obfuscated). One served the purpose of dropping an iframe into the page (to initiate the attack [1]). This iframe carries a specific name attribute as you can see below:


The other script was very simple, but a little more interesting – the code (prettified) is shown below:

[Interesting JS code]

The code essentially enumerates all iframes within the page and attempts to remove any deemed to be suspicious (set to be invisible, or with small width/height) with a different name attribute to that above. Hence the title of this blog entry – “Defensive Iframing“.

To illustrate the script in action, consider a page containing content loaded from 4 iframes (green, blue, orange and black). The page is then compromised with a malicious iframe added (“red cross”), together with a script that sequentially removes all other iframes.

[Sequential removal of iframes]

You get the idea.

Exactly how successful the technique is at preventing other malicious iframes delivering their payload before they are removed depends on a number of factors. Not least exactly when the check_content() function is called and the position of the various elements within the page. Brief testing suggests there are browser-dependencies that affect the timing of events as well.

Of course, the battle between groups of attackers is nothing new. Historically we have had the Bagle vs Netsky wars and W32/Nachi removing W32/Blaster to name but two.