Yet more mass injections

Image (2) cb1_sm.png for post 23817

With the whole Gumblar incident still ringing in the ears [2], we have been monitoring a series of other mass injection attacks over recent weeks.

One such attack, dubbed ‘Nine-Ball’ [3], has gained some press this week. We have also been seeing malicious scripts we detect as Troj/Iframe-CB injected into large volumes of legitimate sites.

As the detection name suggests, the script serves the purpose of writing an iframe to the page to redirect to a remote site. Taking a look at the iframe the script adds, the authors make some interesting use of CSS properties to hide it. Rather than the normal tiny width/height and a display:none CSS attribute, they are now setting the opacity to 0. Presumably this is in an effort to evade detections that rely on the traditional hiding mechanisms.

Victims browsing affected pages are redirected through a series of remote sites, before being infected with a data stealing Trojan (detected as Troj/Mespam-B). The malicious PDF files being used to exploit client side vulnerabilities and deliver the Trojan, are detected as Troj/PDFJs-BG. Aside from ensuring you have effective protection technologies in place, you may also wish to consider application settings across your network [4].

Attempting to access one of the remote sites multiple times results in being redirected to the search engine (makes a change from Google I guess).

This attack is just one of the mass injection attacks we have been seeing in recent weeks. Malware authors are clearly enjoying some success in hitting victims in this manner, so expect more of the same.