Malicious iFrame Detected on

Beginning May 10th, a malicious iframe was detected on the website. The iframe loads malicious exploit code from a path on the domain. On susceptible systems, the exploit results in the installation of a DNS changer Trojan. A DNS changer Trojan can be used to forcibly – and surreptitiously – redirect victims to sites other they expected. For example, a user attempting to access their online banking site may be directed to a look-alike site, capturing their banking credentials when they attempt to login to what they believe to be the legitimate site. The injected iframe would not be readily visible to visitors of the website, which continued to display normally as seen in the screenshot below.

However, the script for the hidden iframe is apparent when examining the site’s source code, as seen in the screenshot below. Note that the malicious script has since been removed from the website.

The particular iframe is consistent with an iframe appended to sites via the FerTP Trojan. FerTP is a backdoor / password stealing Trojan that harvests FTP login credentials and sends those credentials to a remote attacker. The Trojan also logs into the sites using those same FTP credentials, searching for specific types of web pages and appending the malicious iframe to each one found. The targeted pages are index.htm*, index.php, main.htm*, main.php, default.htm, and default.php.

This report was completed by: Mary Landesman

  1. Không có bình luận
  1. No trackbacks yet.

Trả lời

Mời bạn điền thông tin vào ô dưới đây hoặc kích vào một biểu tượng để đăng nhập: Logo

Bạn đang bình luận bằng tài khoản Đăng xuất /  Thay đổi )

Google+ photo

Bạn đang bình luận bằng tài khoản Google+ Đăng xuất /  Thay đổi )

Twitter picture

Bạn đang bình luận bằng tài khoản Twitter Đăng xuất /  Thay đổi )

Facebook photo

Bạn đang bình luận bằng tài khoản Facebook Đăng xuất /  Thay đổi )


Connecting to %s

%d bloggers like this: