Recently Iframe and obfuscated javascript exploits have become a serious threat.
It looks like the attack usually has two stages.
1. Account passwords harvesting. On the first state they collect passwords for the accounts. We will call this stage “account passwords harvesting”. Details on how they do that are fuzzy. The truth is that on a typical Linux server it might enough to get just one user account password to be in a reasonably good position to get the root via some king of little known or unpatched exploit. Zones and jails are better in this respect as they protect other users from easily compromised “suckers” who happily use passwords like 123456 or use infected with spyware PCs at home. Actually the complexity of the password should be beefed up to at least 8 characters. But this does not help if the user computer is infected with a keylogger. ISPs need to handle vastly difference classes of users and security is always as good as the weakest link.
2. Mass modification of index files. On the second stage the pool of passwords harvested is used to modify certain files. We will call this stage “mass modification of index files”. It looks like this stage was automated and they use a special tool, called MPACK, to install malicious IFrames. Usually only main site index documents were targeted (i.e. index.php, index.html, index.shtml, etc.). Malicious IFrames are usually installed at the beginning or at the end of the document. This attack stresses the fact that Web browsers should now be installed on VM and used with a special disposable image of Windows. Please consider using Microsoft Virtual PC or VMware and opening a separate instance of OS for browsing if you did not do it already.
Other Web threats include Massive SQL injections, XSS attacks exploits from RBN
Sites attacked by malwares of this type are being Banned by search engines, The worst problems are ranking destructed, unwanted popups/redirections…
Also a new web based threat (drive-by installs) is currently spreading at a rate of about hundreds of site / day (may be more).
MacAFee has named this trojan as JS/IFrame.gen
How to overcome? Is there any Solution?
There is no official solution to get over this problem. Changing you FTP account password and using updated/latest FTP clients should solve this problem.
Windows users should make sure they have installed all security updates, and preferably upgrade to XP SP2 with IE7, or Vista. Running an active anti-malware guard can also help. That should just leave the people dumb enough to think they need to install a new codec to view porn.
Other ways is blocking the IP. Know more here
http://www.softpanorama.org/Malware/Malicious_web/malicious_iframe_attack.shtml
Popularity: 11% [?]
