Security Researchers of Sophos noticed the rise in the volume of Mal/Iframe-Gen detections. A Number of sites infected using the Iframe Injection technique. These infected sites are used to drive traffic to another websites(mostly malware sites).
Despite the obfuscation, Sophos products proactively block these malicious scripts as Mal/Iframe-Gen. As suggested from the threat name, the payload of the injected script is to write an iframe to the page:
The iframe points to what appears to be a 'middleman' server, used to bounce the traffic elsewhere. This is commonly known as a Traffic Direction System (TDS). The TDS server is under the control of the attackers, enabling them to configure it to redirect user traffic to wherever required.
At first the Iframe Injection redirects to a freshly registered domain (hosted in Germany). However, the page was unavailable, with all requests getting a 404 error. This was a little surprising given that the attack was new (you expect 404s for old, stale attacks where the compromised sites persist long after the target payload servers have been shut down).
Later the TDS server was updated to redirect the traffic to a new destination. At the time of writing it is redirecting the traffic to a Blackhole exploit pack site, where the victim is bombarded with the usual Flash, Java and PDF exploits.
The illustration below gives an overview of this attack, and the role that the TDS server plays in it.
This attack provides us with a perfect illustration of how user traffic is a commodity. Once they have injected numerous sites to redirect to their TDS, the attacker can essentially sell that user traffic to interested parties, willing to pay for victims to hit their exploit sites.
As ever, protection from this form of attack consists of several components:
- detection of the malicious redirects injected into the legitimate sites (in this case, proactive detection as Mal/Iframe-Gen).
- URL filtering to block requests to the TDS. Thus far, a few different servers are being used in these attacks.
- URL filtering to block requests to the final destination servers.
- detection of the exploit site itself (Mal/ExpJS-N) and the various malicious files it uses.
- detection of the final payload (which will vary as the final destination server changes).
- if all else has failed, runtime protection (HIPs) to catch the malicious payload running on the victim's machine.