Number 301 - June 2008
iFrame Attacks
by Brian K. Lewis, Ph.D.*
Sarasota Personal Computer Users Group, Inc.


   I'm sure that most of you reading the title of this article are asking What is an iFrame?. Well, sit back, get comfortable and I'll tell you about the latest method hackers are using to steal information from you.

   First the definition of an iFrame, which is shorthand for inline frame. That clears it up doesn't it? I guess I'd better add some more to that. An inline frame is code within a web page that permits a second page to be imbedded inside the first page. For example, they can be used to imbed an ad that is located on a different web site. One example is the clickable scrolling ad you frequently find on web sites. IFrames generally load after the main page and may sometimes have their own scroll bar. The iFrame may contain Javascript programming code which can permit interactive content. Some iFrames may be invisible and may contain code which can redirect the user to another page or download Trojans or viruses.

   Whenever your Internet browser sees an iFrame tag in the web page code it sets aside the space requested in the tag. It also goes out to the web page specified in the code to download the requested information.

   So is this something new? I thought it was until I read a report in a tech newsletter (Windows Secrets) about an attack on the AskWoody web site. It turns out that iFrame attacks have been recorded since 2004. The first exploit implanted a worm on thousands of computers. The only thing that stopped it was a patch that Microsoft had to apply to Internet Explorer 6. In June 2007 over 10,000 pages were infected in Italy. In November 2007 Monster.com had to shut down as a result of an iFrame attack. Then, this year the AskWoody site had iFrame code added to its main web page. His research indicated that the code originated on a Russian web site, which subsequently disappeared. The code placed on the AskWoody web page linked to a web site in China and subsequently to the Russian web site. This was all done by a short length of code that setup a single, invisible pixel on the web page. The code was designed to load data from the Chinese web site. Anyone with an unpatched IE 6 that visited the AskWoody web site would probably have been infected. However, it was never determined just what was being delivered by the offshore web site.The worst part of this scenario is that the owner of the AskWoody web site did not find out about the iFrame exploit until he started receiving messages from someone who advised him that their AVG Resident Shield said his site was infected. That was followed by Google advising him that his site was infected and down rating the site. Google also provided a warning to anyone attempting to link to AskWoody warning them that visiting the site might infect their computer.

   The question becomes, how did the iFrame code become attached to the web page? The code pages on web sites are generally password protected. Access to these pages for the purpose of making changes is controlled by the web site host and the hosting software. However, there are several programs available which enable hackers to take advantage of holes in web site security. Some of these are described as kiddie scripts, indicating their ease of use. Others, such as Mpack, require a more sophisticated knowledge of programming. The problem is that thousands of respectable sites have been infected. The following are only a few that were reported in March 2008 by Dancho Danev's blog (a security information web site):

   eHawaii Portal - www.ehawaii.gov - 992 pages

   The World Clock - timeanddate.com - 944 pages

   Boise State University - boisestate.edu- 471 pages

   The U.S. Administration on Aging (AoA) - aoa.gov - 425 pages

   Gustavus Adolphus College - gustavus.edu - 312 pages

   Internet Archive - archive.org -261 pages

   Stanford Business School Alumni Association - gsbapps.stanford.edu/act/index.jsp - 157 pages

   BushTorrent - bushtorrent.com - 147 pages

   ChildCareExchange - ccie.com - 131 pages

   The University of Vermont - uvm.edu - 120 pages

   Hippodrome State Theatre - Gainesville, FL - thehipp.org - 112 pages

   Minnesota State University Mankato - mnsu.edu - 94 pages

   Medicare - medicare.gov - 12 pages


   In many instances it appears that the hackers were able to harvest passwords which gave them access to these sites. Then, if the site did not have current input validation patches, the iFrame could be added to web pages. In some cases, home users may have been the source of the initial password theft. By use of a keylogger a hacker can obtain passwords to any protected site visited by the user. In other cases clicking on a banner ad that attracts you can result in the download of a bot, a trojan or other spyware. This is especially true if you are still running an unpatched Internet Explorer 6. It appears that Firefox is less vulnerable to these types of exploits. Also, clicking on an executable file in IE 6 generally results in running the file. In Firefox you are usually only given the option to down load the file. Obviously you should never download or run any file that you don't know or don't recognize. This is especially true when the site tells you that you need some kind of add-on or special viewer to see the information you want. This is the type of social engineering being used to tempt users into downloading spyware.

   There is also a danger related to the firewall you are using on your computer. A keylogger or other Trojan needs to be able to report home without the user being aware that information is being sent out. This is done by opening a back door to the Internet; an outgoing port in one the thousands on every computer. If your firewall doesn't check on all outgoing data and requests permission for new unknown activity, then you will not be able to block the trojans back door connection. So it is very important that your firewall check both incoming and outgoing data. Then, anytime your firewall requests permission for a program, one you don't recognize, to connect to the Internet, just say NO.

   There is one other recognized method for obtaining the information needed to get into web page code. Hackers can purchase web site administrator information on the black market. One software application used to hack web sites, Mpack, sells for about $1,000 US. The person behind this software is known as $ash in the Russian underground. The software exploits six flaws in Windows and Internet Explorer. Thus for not a lot of money, hackers can obtain everything they need to exploit weaknesses in web pages.

   As you can see, the iFrame attack is a real danger for those who surf the Internet. If you want to read more about these attacks, a Google search will provide you with tons of information. If you want to protect yourself from these attacks, your ability is limited. It is really up to your ISP and the web hosts to provide the security needed to prevent the web page intrusion of an iFrame. So what can a home user do? The following will help, but are no guarantee of protection.

   
  • Beware of pages that require software installation. Do not allow new software installation from your browser unless you absolutely trust both the Web page and the provider of the software.

    •    
  • Scan with an updated antivirus and anti-spyware software any program downloaded through the Internet. This includes any downloads from P2P networks, through the Web and any FTP server regardless of the source.

    •    
  • Use only a firewall that checks both incoming and outgoing data.

    •    
  • Beware of unexpected strange-looking emails, regardless of their sender.

    •    
  • Never open attachments or click on links contained in these email messages

    •    
  • Enable the Automatic Update feature in your Windows operating system and apply new updates as soon as they are available

    •    
  • Always have an antivirus real-time scan service. Monitor regularly that it is being updated and that the service is running.
       
  • OR another option would be to verify that the address is safe before going to it. You can do this by checking it at:

       As you can see, for Windows users, the Internet is becoming more of a hazard to navigation. You, as a user, must always be cautious about clicking on links or accepting downloads. If in doubt, don't do it! If everyone practiced safe-surfing, it would be harder for the hackers to succeed.

       *Dr. Lewis is a former university and medical school professor of physiology. He has been working with personal computers for over thirty years, developing software and assembling systems. He can be reached at bwsail at yahoo.com.

       Copyright 2008. This article is from the May 2008 issue of the Sarasota PC Monitor, the official monthly publication of the Sarasota Personal Computer Users Group, Inc., P.O. Box 15889, Sarasota, FL 34277-1889. Permission to reprint is granted only to other non-profit computer user groups, provided proper credit is given to the author and our publication.
    •   Number 301 - June 2008