Hidden IFrame elements continue to be a popular way for targeting website visitors. After breaking into a server, the attacker modifies its HTML code, using a hidden IFrame tag to retrieve exploit code from another system. Maintainers of the compromised website typically don’t know that they are infecting their visitors for quite some time.
ISC reader Glenn Jarvis reported about a website that installs a malicious executable in the temporary folder of the victim’s system. A look at the source code of the website’s top page revealed a tiny IFrame tag that retrieved another page from a remote server. The size of the in-line frame is 1 pixel by 1 pixel, so it is not visible to the visitor of the site unless the person looks at the source code.
The remote server’s index.html file contained JavaScript code that attempted to exploit a recent Internet Explorer vulnerability to download, install, and run a malicious executable on the website visitor’s computer. The executable was recognized by about half of anti-virus tools as a spyware trojan, and was assigned names such as Downloader-ASQ, TR/Spy.Small.EE.2, Win32/SillyDL.2fy, Trojan.Spy.Win32.Small, and Downloader.
The exploit itself targeted a vulnerability that was patched in the update to Internet Explorer that Microsoft released on April 11, 2006. Microsoft Security Bulletin MS06-014 briefly describes the problem:
Vulnerability in the Microsoft Data Access Components (MDAC) Function Could Allow Code Execution (911562)A remote code execution vulnerability exists in the RDS.Dataspace ActiveX control that is provided as part of the ActiveX Data Objects (ADO) and that is distributed in MDAC. An attacker who successfully exploited this vulnerability could take complete control of an affected system.
Cumulative Security Update for Internet Explorer (912812), which was also released on April 11th, according to Microsoft Security Bulletin MS06-013, strengthens security settings for the Internet zone on Internet Explorer. These settings render the exploit ineffective even if the potential victim did not apply the 911562 patch referenced above. The cumulative update sets the following settings to Disable:
- Initialize and script ActiveX controls not marked as safe for scripting
- Access data sources across domains
The exploit we observed operates by instantiating a series of objects, including Microsoft.XMLHTTP, Adodb.Stream, and WScript.Shell. When looking for correlating activities related to this exploit, we came across web forum discussions that suggest that this exploited existed as early as April 26th, two weeks after the release of Microsoft’s patch.
For protect your PC:
if you can`t install Cumulative Security Update for Internet Explorer (912812), make next – Run Internet Explorer, Click Tools, chouse Internet Options…, click Security tab, click Custom Level Button, set Initialize and script ActiveX controls not marked as safe for scripting to Disable, set Access data sources across domains to Disable, click OK, click OK.
For more protection, read the howto: How to drop rights for safe surf
