55,000 Web sites hacked

From ZDNET:

55,000 Web sites hacked to serve up malware cocktail

 

The article doesn't mention that the i-frame connects to a site to load a javascript file which contains the exploits. This means that the first area of defense is proper configuring of scripts in the browser to prevent the javascript file from executing and running the exploits.

If you configure javascript per site, even if you have scripts enabled for the compromised site with the i-frame, once redirected to the site with the .js file, nothing will run.

The URLs for the exploits are no longer working, but an earlier exploit using the same methods can illustrate. Here, the fileslist.js file attempts to load a fake winantivirus scanner:

Code:

script src='fileslist.js'>/script

With javascript disabled, nothing happens:



Enabling javascript, the fake scanner loads:



Check your browser configurations!

----
rich

 

Question...

Would the exploit work if i-frame loading by the browser is disabled even if js is on?

 

Yes, because disabling inline frames just prevents the content from being displayed in the browser.
The code in the inline frame will still execute.

This is easy to test. Here is a .js file I put on my web site:



Here is code I put in a web page to run this .js file using i-frame:

Code:

<i frame src="http://www.urs2.net/rsj/check.js"></i frame>

With inline frames enabled, the .js file displays in the browser:



And here is the cached file:




Now, I'll disable inline frames



and delete the cached file and run the test page again. Opera does not display an inline frame:



However, the .js file did indeed cache again:



Re-enabling frames at this point displays the contents of the cached .js file as before.

Many SQL injected pages use an inline frame to redirect the victim to a server which contains a .js file with the malicious code to download malware.

EDIT: this is the behavior in Opera. I've not tested with other browsers.

----
rich

 

Ahh, thanks for the clarification. Currently using opera as well and do have iframes disabled but js enabled although under the protection of sandboxie with run and internet access settings restrictions.

Another question if I may...

Can the such exploits circumvent default deny SRP + LUA mechanisms?

 

In the exploits I've seen, any security with Default-Deny execution protection will block the exploit from running any malware. That would include SRP.

Several users have tested SRP for me on a number of occasions. Here is one example I included with a SQL injection exploit from last year:

http://www.urs2.net/rsj/computing/tests/sql

----
rich

 

So even if users have javascript on for their browsers, the browser may still cache the exploit or malware but will be benign since SRP blocks it from running.

Thanks again for the valuable insight Rich

 

Some sites now have java ap install even Firefox their own tool bar when you connect to certain web sites without your permission.

 

How effective is the NoScript extension for FireFox against this exploit?

What I tend to do is just disable all scripts from running, unless the site is trustworthy, such as Microsoft, then I would allow it.

If anyone is that paranoid, you could always disable Javascript from running via the about:config settings of Firefox, and simply settle for text.

Interesting thread. Cheers for the info.