Lack of Egress Filtering Spurs Success of Injected IFrame Attack

The security community at large and the eSoft Threat Prevention Team have recently noticed an uptick in sites compromised by a new injection attack that results in an injected iframe. This attack can be recognised by its attempts to masquerade the malicious script as GNU, GPL or LGPL.  GPL and LGPL refer to public licenses for open source software and add a veneer of legitimacy to the malicious files.

The attacks in themselves are not new or novel, but their success seems to be in part because the iframes point to websites on non-standard ports. In particular, the attackers are hosting browser exploits and social engineering tricks on servers running on port 8080. Such as this one shown below:

(note also the trusted domains that have been added to the URL to get the casual user to trust the link)

As secure web filtering is added to anti-virus products and makes inroads in gateway security products, attackers are trying to circumvent the web filters with this age-old technique. Frequently these secure web filters only operate on common ports such as port 80. By hosting a web server on an alternate port, the security may be bypassed.

For this reason, it is essential that administrators who deploy secure web filtering lock down any ports not expressly being scanned. In other words, egress firewall rules that block outbound traffic on ports that don't have some security and content filtering, will save networks from this attack and ones like it.

At present, eSoft is detecting dozens to hundreds of newly compromised websites that have fallen victim to this attack and become conduits for attacks against their site's visitors.  More detailed information on how the attack is spreading and its links to gumblar can be found on the Unmask Parasites blog

Comment on this blog