iFrame attacks: Blame your Web admin guy

With one new Web site compromised every 14 seconds, including some of the biggest names, it's almost impossible to tell what's a "trustworthy" Web site. But who's at fault for exposing Internet users?
Written by Liam Tung, Contributing Writer

With one new Web site compromised every 14 seconds, including some of the biggest names, it's almost impossible to tell what's a "trustworthy" Web site. But who's at fault for exposing Internet users?

Around 165,000 Web sites have been compromised in recent weeks, indicating a mass outbreak in the use of malicious iFrames to attack Internet users.

Just last week the input fields of several popular Web sites have been exploited to deliver iFrame attacks on potentially millions of visitors. By inserting HTML code into the search fields of the affected sites, the attackers have been able to launch iFrames which redirect users to Web sites hosting malware.

The attacks have targeted visitors to tech publication Wired.com, security firm Trend Micro and CNET Networks' own ZDNet Asia, according to security researcher Dancho Danchev.

By exploiting flaws in Web applications on the client side, such as RealPlayer and other lesser known media players, the attackers are able to push browsers to sites that host malicious content.

Similar attacks on PHP bulletin boards (PHPbb) have also exploded, according to security researchers at McAfee Avertlabs. Over the past week 200,000 PHPbb Web pages have been compromised, which McAfee researchers believes to be similar to the Santy worm attacks of 2004.

In 2004, Google managed to put a halt to the Santy worm -- malware which searched Google for Web sites that used a vulnerable version of the phpBB bulletin board software. Once the worm had infected one PHP bulletin board, it then used it as a launching pad to infect other vulnerable software.

"With the exploitation of PHP, we're not sure exactly what method may have been used, but we suspect it could be a SQL injection attack," senior McAfee security researcher, Nishad Herath, told ZDNet.com.au.

In just one hour last Friday afternoon, the number of PHPbb infections increased from 11,900 to 28,600 pages, Herath added.

"Depending on the capabilities of the Web server that is hacked -- in terms of the level of access an attacker has [in order] to modify the content -- the payload seems to differ. Sometimes it's just a Java script and others it's a malicious iFrame which hosts other malicious content," he said.

Security experts believe that preventing attackers from using malicious iFrames and PHPbb is a matter of validating input fields, for example, by making sure fields can only contain alphanumeric characters.

As well as preventing malicious iFrames, validating input fields could block complex phishing scams which manipulate Web pages to trick visitors into divulging personal information, according to Danny Allan, US director of security research at IBM Rational Software. Ninety percent of all phishing could be prevented if this process was done correctly, he said.

The fact that a Web server does not need to be fully compromised to be harmful to site visitors is also important, Sophos's chief technology officer, Paul Ducklin told ZDNet.com.au -- only a single line of HTML code is necessary to make the exploit work.

"People think the only way to threaten others is if malware infects the Web server in first place, but the bad guys don't need an active process on your computer if they can get static Web pages," Ducklin told ZDNet.com.au.

"The vast majority of affected Web pages are statically infected, so you're not actually dealing with active processes."

Because most malware is developed for Microsoft Windows while most Web servers are Linux machines running Apache, Web administrators mistakenly believe that this protects their servers and by default their site's visitors, said Ducklin.

Sophos's 2007 research also shows that 53 percent of all malware used malicious iFrames to exploit computer systems. The second most popular method was using hidden Java script, with nine percent.

Google's own researchers have also blamed the 300 percent rise in sites delivering drive-by downloads on poor security practices of Web administrators.

Editorial standards