SophosLabs has been tracking an infection of Mal/Iframe-AL on Seagate’s blog since late February.
SophosLabs informed Seagate of the issue back in February, but at the time of writing the site remains infected.
Two weeks ago, Fraser Howard reported how rogue Apache modules were pushing iFrame injections with the intention of driving traffic to the notorious Blackhole exploit kit.
SophosLabs has seen countless victims of this attack, with Mal/Iframe-AL remaining the most prevalent of the web threats encountered.
Seagate is just one of the high profile examples of a site that has been hit.
It would be fair to say that many companies are struggling to clean up from these attacks.
I suspect that many webmasters fail to see the problem themselves and dismiss abuse reports as a result. Which is understandable, as reproducing the problem can certainly be tricky.
It would seem that certain checks are done by the malicious Apache module, meaning that the malicious iFrame is only injected into outbound HTML/JS content when certain conditions are met.
As you can see, this copy of the legitimate
jquery.js library has been modified to include the malicious iFrame (which has been prepended to the clean code in a similar fashion to what we described in a previous article).
Looking for assistance in cleaning up an affected server?
A recent blog by Google’s security team offers some educational tools for webmasters who want to learn more about how to protect and clean-up their servers.
Here’s a video that Google produced offering advice for compromised websites.
In addition, IT system administrators may want to check out our free technical paper about “Securing websites”, which discusses common ways web servers are attacked and the various ways that they can be protected.
If Seagate would like a packet capture (PCAP) showing the infection, we will happily provide one.Follow @SophosLabs