Not such a nice hack, Nice Pack

One of the most prevalent scripts used to compromise legitimate web sites over the past few months is something Sophos’s products block as Mal/Iframe-W.

The threat name describes the payload – an iframe, injected into otherwise-innocent web pages, to load content from a remote site. In this article, I will elaborate a little more on the threat, and how it is being used to infect users.

The JavaScript that is injected into legitimate sites is heavily obfuscated. Depending upon exactly how the site has been hacked, the script may be injected anywhere within the page. In the following example, it has been injected at the end of the page.

The script obfuscation uses a variety of anti-emulation tricks, in an attempt to evade generic detection, and break automated analysis systems.

Once deobfuscated, the script payload is obvious: an iframe to load further malicious content.

Websites all over the world have been hit in these site defacements. Last week, their victims included the French site of a global car manufacturer. (Following our notification to them, the site has now been cleaned up.)

Historically, Mal/Iframe-W has been use to drive traffic to Blackhole exploit sites (similar to here), in order to infect users with a variety of payloads.

In the last couple of weeks however, I have seen Mal/Iframe-W being used to send traffic to a different exploit kit – one known as ‘Nice Pack’. The attack is being used to infect users with a threat called ZeroAccess, a nasty rootkit.

As you can see, SophosLabs protects against these attacks on multiple levels, by:

  • tracking and blocklisting all sites known to be associated with this threat,
  • blocking compromised web pages as Mal/Iframe-W,
  • blocking the TDS redirect script as Mal/Iframe-W,
  • blocking the Nice Pack exploit site as Mal/ExpJS-Y, and
  • detecting the ZeroAccess dropper as Troj/Sirefef-P, or generically as Mal/FakeAV-IS.

Of course, exploit kits are typically distinct from the payloads they are being used to infect users with. It is the familiar drive-by download model, where hackers looking to infect users with some specific malware simply:

  • purchase the kit to construct and manage the exploit site,,
  • purchase the user traffic, and
  • profit from users who get infected with their malware.

The traffic directing server (TDS) illustrated in the above flowchart emphasises how the user traffic is a commodity. This server is under the hacker’s control, and so by injecting legitimate sites such that they connect to the TDS, the hacker is able to control the final destination of that traffic. It can be sold to other hackers, who own and manage the exploit sites.