The other script was very simple, but a little more interesting – the code (prettified) is shown below:
The code essentially enumerates all iframes within the page and attempts to remove any deemed to be suspicious (set to be invisible, or with small width/height) with a different name attribute to that above. Hence the title of this blog entry – “Defensive Iframing“.
To illustrate the script in action, consider a page containing content loaded from 4 iframes (green, blue, orange and black). The page is then compromised with a malicious iframe added (“red cross”), together with a script that sequentially removes all other iframes.
You get the idea.
Exactly how successful the technique is at preventing other malicious iframes delivering their payload before they are removed depends on a number of factors. Not least exactly when the
check_content() function is called and the position of the various elements within the page. Brief testing suggests there are browser-dependencies that affect the timing of events as well.
Of course, the battle between groups of attackers is nothing new. Historically we have had the Bagle vs Netsky wars and W32/Nachi removing W32/Blaster to name but two.