Web Development optimize

Uncloaking invisible iFrames

Mention drive-by malware to nefarious types and they smile, silently thanking the invisible iFrame. Ever wonder why?

During a seminar about drive-by malware, the speaker briefly touched on iFrames; mentioning they're invisible, difficult to detect, and the reason why drive-by malware is so successful.

As I listened, I realized I didn't know how iFrames worked, and what she meant by invisible. As one who subscribes to "Know thy enemy," that's not good. Right then, I resolved to change that.

iFrames

First thing I discovered: millions of websites incorporate iFrames, but they're visible. By definition, an iframe (Inline Frame) is an HTML tag that allows an HTML document to be embedded inside another. The IFrame element inserts content from another source, such as an advertisement, into the web page containing the iFrame. Here's an example:

<html>
<body>
<iframe src="http://www.techrepublic.com">
</iframe>
</body>
</html>

That code inserts the following:

OK, but how does one make the iFrame invisible? For that, I asked André M. DiMino, well-known security analyst and founder of DeepEnd Research, for help:

Here is what an actual (live at this writing, but de-fanged) invisible iframe looks like:

<html>
<body>
<iframe width="0" height="0" frameborder="0" src="http://loadus.exelator.com/load/?p=258&g=024&c=23706&ctg=modeling&j=w">
</iframe>
</body>
</html>
There is no malware within the iframe itself, just a link to another site that will attempt the exploit.

So, code specifying width=0 and height=0 makes the iFrame disappear. And, the reason for making the iFrame disappear is to prevent the victim from seeing the web page hosting the exploit code right in the middle of the viewable portion of a legitimate web page.

I asked Andre' if the user had to activate the iFrame:

No, the exploit can install and execute the malware without any user knowledge. Simply visiting the web site will initiate a connection to the redirect site. Once the redirect is made, the exploit installs by leveraging a vulnerability in the user's browser or plug-in.

Planting malicious iFrames

I now get how iFrames become invisible. What I don't get is how an iFrame gets positioned. I mentioned this to Lenny Zeltser, veteran security professional, author, and SANS instructor. He offered the following explanation:

Attackers can create a malicious website, but then they need to bring visitors to that website. This can be done in many ways. For instance, the attacker might use aggressive SEO techniques to show the malicious site in search results.

Another approach involves placing malicious advertisements. The attacker's ad could include code that instructs the victim's browser to visit the malicious website.

The method you're interested in involves using a legitimate website to redirect visitors to the malicious website. The attacker might compromise a legitimate site using techniques such as SQL injection to insert invisible iFrames that automatically redirect visitors to the site hosting the exploit.

Anything we can do?

I asked André and Lenny if there was anything we could do to prevent drive-by malware? They came up with the following suggestions:

  • Maintain lists of known malicious websites. (Workable, but entirely reactive)
  • Check out security tools that examine web traffic using behavioral and heuristic analysis. (Better, but expensive and still reactive)
  • Make sure all computers -- including web servers -- are fully patched. (Best, unless Zero-day)

André also mentioned tools like NoScript should be of some help. That was all I needed. I've been meaning to see if Giorgio Maone, creator of NoScript, was feeling better. Here's what Giorgio had to say:

NoScript does protect against this because permissions given to a certain page are not cascaded to its inclusions and embeddings (including iFrames) from different origins. Therefore, even if the compromised site is in your whitelist, the third-party site under the attacker's control is still blocked.

I'm often asked why the "Allow all this page" NoScript command needs to be repeated multiple times before unblocking all sources. That's because NoScript only gives permission to the resources you see in the menu when you issue the command, rather than giving a free pass to content with unknown origins.

This way you're always given a chance to examine every origin before allowing it (e.g. by middle-clicking its "Allow xyz.com" menu item), and permissions can never be given blindly.

What does it mean?

The goal of drive-by malware is to take temporary control of a target's web browser; then force it to download and execute a malicious application all without the victim knowing. Fortunately, the entire operation hinges on invisible iFrames. If we can uncloak them, the whole process falls apart.

I'd like to take a moment and thank the three gentlemen for their help. I've known each for a while now and their expertise and willingness to help is appreciated.

About

Information is my field...Writing is my passion...Coupling the two is my mission.

31 comments
thisflourishinglife
thisflourishinglife

Hi, I'm wondering if loadus.exelator.com is an actual malicious iFrame or if you were just using that as an example? I ask because someone messaged me to tell me they found that in the coding in the footer of my site and believe it to be a virus. I did some research and find it in my javascript coding using Firebug, but can't figure out what it is or how to remove it.

Todd
Todd

If the enduser is browsing in a Standard User profile that does not have installation priveleges, can this type of malware still imbed itself or will this prevent the the malware from infecting the machine like with other more common infections?

PReinie
PReinie

I have no-script installed and I use it. 99% of the time it tells me scripts are partially allowed. Even this page shows techrepublic is allowed, but I have to tell NoScript to allow com.com, trstatic, spstatic, and google-analytics.com (every page, but I find them via Google). From what I think you've said, Michael, the pages I go to (supposedly valid) likely don't have the no-size invisible iframes, it's the pages that those link to or which show up as a result of something like a google search, or a page a URL resulting from a google search takes me to, that I have to worry about the invisible iframes. Suppose, one forbade any size 0 by 0 iframe from "showing" (even though it's invisible) [maybe loading is a better word]? Might a malicious site then instigate a 1 by 1 size iframe? A period might be larger than 1 by 1. Or any character could be the iframe! If you don't have to click on it, why does it have be 0 by 0?

tony
tony

I have started using a Netgear UTM5 (Unified Threat Management) firewall and was stunned at the number of web site links it blocked. This, or equivalents, are a good way for small businesses to protect against this type of threat.

lijo.leecorp
lijo.leecorp

This area of the page is often not visible and the scripts are no longer controllable and even the user won't even know that the script is generating some so called (Request/ Response) to remote machines. This may even account to as DDOS Attack. We can have solid examples if Google enough. Good Luck Chaps Good Day

Brian.Buydens
Brian.Buydens

It is probably a dumb question but if the answer is no, perhaps browsers could be programmed so that invisible iFrames are not allowed.

mhenriday
mhenriday

Unfortunately, it is also, as mentioned by another commentator, rather «knowledge intensive» (or at least, «decision intensive»), which is why I don't dare suggest installing it to (the vast majority of) the retirees whom I help with their computer problems. It must be said, however, that most of them - with a few notable exceptions ! - are very circumspect in their surfing habits, which means that it's not quite as incumbent upon them to have NoScript installed as would otherwise be the case. Still, I'd very much like to be able to introduce it to my friends and would be grateful for any feasible suggestions as to how to descend from the horns of this dilemma.... Henri

Slayer_
Slayer_

They could still just display an advertisement, but have the page it loads have scripts as well. You can always iframe to a page that just displays an image and has a script in the header that runs on load. A user would never know. Instead, iFrames need to be changed so that you can't iframe in a source that not from the same root address. And if you try, the browser should give an allow/deny warning.

JCitizen
JCitizen

If the malware is active x based; SpywareBlaster will block the intrusion automatically by registry entry. The control will look like a blank box with a red 'X' on it. Most of the time Avast will auto block any bad scripts similar to the way No Script works except it is automatic; occasionally you will notice a slight delay in page response, but rarely so.(I use Comodo Dragon and get stellar performance) As was mentioned before by Tony; the UTM applance can block the object through streaming AV/AM service. In my experience, such drive by attacks will try to leverage any flash or Adobe reader vulnerabilities by opening said application and attacking the OS system. However, if they are updated you only get an amusing failure of the malware to enter into an attempt to foist admin privileges! HA! I love it when the crooks fail! ]:) Surprisingly about 75 to 85% of the time, even though it may be a zero day threat, the IE9 browser will block all attempts by malware to attack through the browser - either by smart sense scanner, bad certificate, ASLR, DEP, or the UAC will pop off for no explainable reason, and then of course you would be a fool to give permission in such instances. If the malware is a Zeus type variant or similar and doesn't need elevated priveledges, it will attempt to inject into the startup folder; CCleaner can defeat this if ran before reboot or log off; CCleaner itself will be attacked by the malware, and nothing will set this off - BTW - but you will notice the desktop shortcut will be gone for this venerable application, and the icon will be removed from the Programs list applet. Running CCleaner will still rid you of the temp file trying to do this. Winpatrol can sometimes pop an alert after reboot if you fail to stop the survival attempt by the malware, but you have to watch it, because malware can attack it too - Emisoft's Mamutu is invulnerable to these attacks so far, because it is a kernel based solution; but it isn't as sensitive as Winpatrol on the fast draw. Comodo's Defense+ is another kernel based solution to this. I sometimes run all of them concurrently - there is no system degradation of performance with blended defenses such as these. (edited) - I return to edit this last statement as Defense + now slows older XP systems to a crawl. I have to disable it now in those circumstances, but the other defenses still stand - so far.

Michael Kassner
Michael Kassner

Lenny made that same comment. It is not just zero by zero iFrames. Other small ones will usually work just as well.

Michael Kassner
Michael Kassner

How does the device work? It blocks egress activity? How do you know that you capture all of it?

Michael Kassner
Michael Kassner

It is an interesting approach this as you say hidden from the user's view.

grayknight
grayknight

for invisible iframes. As with most functionality, there are good and bad uses.

Michael Kassner
Michael Kassner

I'm not sure myself. Ill as the experts and get back to you.

JCitizen
JCitizen

I use several solutions that are not only free, but do an excellent job as a substitute for No Script. They use no system resources - or at least I use all of them on old equipment with no problems. Avast SpywareBlaster Comodo w/Defense+ (free personal firewall) Winpatrol - in case a sneaky one gets through ( Thanks to Michael for reminding me of this old work horse!) It seems like Spybot Search and Destroy used to have an effective setting for iFrames, but it is a very weak rivet in the armor now days - IMO. AdAware was one of the most wondrous solutions to many malware, I'd ever used; but they can't be trusted anymore - since January - I'm afraid. I was never sure how it worked, but suspected it had the ability to disrupt communications of the malware, both internally and out to their web minions on web servers. This left them basically de-horned until CCleaner could dump them in the trash. I used to notice a quite large performance enhancement back then; no longer the case now.

Mark Johnson
Mark Johnson

I always install Firefox+NoScript+AdBlock and make it the default browser for all friends and family. I explain that they should only accept domains they expect to see .e.g. if they go to fredbloggs.co.uk then accepting fredbloggs.com and fredbloggsstatic.co.uk is probably ok, but accepting joepublic.com is probably not ok, unless they already know some affliation between fredbloggs and joepublic. I do also go through their favourites and explain why they should accept or deny each domain, point out that most are not required from their perspective but allow ads tracking etc. At that point I offer to remove it all; no one has ever taken me up on this, and all have managed to update the permissions as they needed to. I maybe get 1 call per year per person asking if a certain domain is acceptable. For some, I also install the WOT plugin, and again educate 'dont touch the red circle'. BTW, this is what I use for my own surfing, and most of the domains for this TechRepublic page are not allowed, without any loss of functionality that I care about.

flhtc
flhtc

I've been using it along with an ad blocker and and anti tracker, for a while now. Everytime I hop on a new computer, or one with out these tools, I see just what I'm "missing." Mostly garbage. Not to get too melancholy about things, but I remember when the Internet was accessed mostly by modem. It's a real shame that such a wonderful source of a nearly infinite wealth information has been turned into such a cesspool.

Michael Kassner
Michael Kassner

I wouldn't go by the title as much as what I had in the main body.

Slayer_
Slayer_

As long as its the same as the background. You can also make one of those collapsing sections and put the iframe in there.

JCitizen
JCitizen

As far as my UTM appliance; I know I can purchase VStream anti-virus/malware service from CheckPoint that blocks bad page controls, if they are infected and a definition exists. Because the scanner is embedded hardware, it takes a load off your internal server or workstations, and it is crazy fast! I've not experienced it on my box, but my sister has the Z100G variant of the same appliance, and it works very well. I plan to migrate to the "N" version of the Netgear UTM5 as soon as my connection turns gigabyte speed. I think their service packs are a little more economical, if I remember correctly.

Michael Kassner
Michael Kassner

Yep, WinPatrol is a great stand by and Bill is constantly working on it. Which of your tools works against iFrames?

Michael Kassner
Michael Kassner

Many security pundits also informed me that NoScript is fairly knowledge intensive. I'm betting you know all sorts of people that would not have the patience for NoScript.

JCitizen
JCitizen

I used to block all using IE and set trusted sites later. I swore the old version of SaferNetworking's Spybot S&D had a setting for it, but not anymore, if at all. I was doing the testing in 2008, and I've had a lot of brain damage since then. So my memory is fuzzy about that. I don't do much to IE9 settings now, I just let SS&D control what cookies it does. I've been nervous every since I had to dump Lavasoft, and I'm finding out malware can do a lot to a limited account to mess with the user. I have little hope of finding a replacement. Fortunately I no longer need AdAware for performance gain; modern browsers are quite capable of doing a good job by them selves. Some very disreputable concerns bought Lavasoft in January, and I just can't trust them anymore. I'll be playing with stuff I've never considered before - CNET user reviews will be my favorite reading for a while.

PReinie
PReinie

My goal was always to write SW so good people wouldn't bother me about it later. I've been fairly successful at that to the point I had the comment sent to me "why did you do such a good job, now they want the newer version to do that!" It helped to be "in their shoes" when I wrote it in the first place. Be the user before you design what's not there!

Slayer_
Slayer_

It's too confusing to them, they don't know the check which scripts are blocked, or how to tell if a page is loading correctly. Or those times you fill out a form and hit submit and nothing happens, so you allow the scripts, the page reloads and your form data is gone. Instead, I use adblock, and WOT on Avant(firefox engine). So far they have never had a virus. I'll update Avant every year or so. Windows 7 makes it better, I put UAC to max and explained to them how it works, and that they should only ever say yes to one when its triggered by something they are doing, otherwise choose no. UAC is a fairly weak security measure, but it does stop a good chuck of XP and earlier viruses.

flhtc
flhtc

You help the people you can, and fix the computers of those you can't. Printed on my business card is: "My job is to put myself out of a job. I want to teach you how to help yourself."

JCitizen
JCitizen

This is why I tell folks when I introduce them to No Script to just keep it simple. I suggest that they simply let No Script block all - and if they suspect there is content they need, at least make a guess which page control they should allow before giving the "allow all". I counsel them that they will eventually get the ability to recognize trusted scripts by name, or at least recognize that unfamiliar ones should not be trusted. I seem to remember an Internet Explorer setting that blocks iFrames? I've become lazy about them, because of Avast. It always seems be able to manage blocking bad scripts in the first place. My foggy memory recalls tests I used to do, where I went to test sites to see how iFrames react to IE settings, and script blockers - I don't remember the URLs, but my defenses passed the tests every time. This was before stealth malware become ubiquitous, of course. There can be no guaranty now, that any malicious script will be recognized - not even by good heuristics. So far the operating system security seems to be winning that part of the battle - CCleaner closes the victory.