Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: 2117966.net-- mass iframe injection - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
2117966.net-- mass iframe injection

Situation:

Over 10,000 legitimate websites have been compromised and now have an iframe that will direct visitors to a malicious website hosted on 2117966.net. The malicious website attempts to exploit the vulnerability described in MS06-014 and a number of ActiveX vulnerabilities.

Successful exploitation result in the installation of a password-stealing malicious program that attempts to steal the logon credentials from websites and online games.

Recommended immediate action:

Block 2117966.net at your web proxy

Recommended follow-up action:

Inspect your web proxy logs for visitors to 2117966.net. This will indicate who is potentially exposed. Check these systems to verify that their patches are up-to-date. Systems that are successfully compromised will begin sending traffic to 61.188.39.175
(http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20080313). Search your proxy logs for systems generating those requests and reimage the infected machines.

Protecting Browsers:

A properly-patched system should not be at-risk from this attack.  It is recommened to use a browser that does not support ActiveX.

Protecting Webservers:

Until details become available on how the iframe was injected, we have no recommendations.

Missing information:

We currently do not have details on how the iframes were placed on the websites.  If you are responsible for cleaning-up or investigating one of  the defacements, please contact us if you have information on how the compromise occurred.

Kevin Liston

280 Posts
ISC Handler
I see that various security researchers are debating the possibility of attackers using the caching feature of websites search software to add IFrame code to the saved search results on the sites.

Anyone come across this ?

On the assumption that this is a possible attack vector, wouldn't an immediate response advice be to disable site search caching on your website search software pending further investigation ?
Karl

14 Posts Posts
You might want to mention, parenthetically, that MS06-014 should _not_ be confused with MS08-014, which was just announced earlier this week. Some folks might mis-read the first paragraph and get spun up over nothing.
Anonymous

Posts

Sign Up for Free or Log In to start participating in the conversation!