Searching serves malware: Mal/Iframe-Gen on an insurance site

Searching serves malware: Mal/Iframe-Gen on an insurance site

At the beginning of the month I spotted a specialist US insurer’s website infected with Mal/Iframe-Gen.

The detection name alerted me to the fact that the page should contain obfuscated JavaScript because, this identification relies upon the JavaScript emulation within Sophos’s detection engine (see “Malware with your mocha?”).

When I initially downloaded the reportedly infected webpage I saw no obfuscated JavaScript.


However, when I investigated more deeply I did see the malicious code. The difference in the two scans was that my second scan had a referer (section 14.36 Referer) set.

When I downloaded the site again with:

wget --referer="search engine"

I would see at the top of the HTML page some obfuscated JavaScript:

Obfuscated JavaScript

The eagle-eyed amongst you will recognise the script is obfuscated with the (in)famous Dean Edward’s packer. When this script is de-obfuscated you are presented with an iFrame pointing to a domain with the TLD “” with small attributes.

Cocos Keeling IslandsThe TLD .cc represents the Cocos (Keeling) Islands an obscure island grouping in the Indian ocean.

Ever since the “” domains have been available for registration, the researchers at SophosLabs have seen them being abused heavily by malware and used in spam campaigns.

So why is this site serving malware when you get to it via a search site?

Well the most likely culprit is a compromised .htaccess file. We have seen modified .htaccess files before (See “dot ht what? More Fake Alert trickery” and “Troj/PHPMod-A Troj/JSRedir-R attacks”).

To modify the .htaccess file the attacker is likely to have had more access than a simple SQL injection – previous cases we have investigated have been tracked down to compromised FTP passwords.

The malicious attacker uses this technique because it makes finding the offending code more difficult for the website’s administrators and security professionals.

After all, they know the website URL and don’t need to search for it.