In this paper, we present the design of distributed infection model used by attackers to inject malicious iframes on the fly to conduct large scale drive-by download attacks. We use the term “Iframe Injectors” which refers to the automated tools used by attackers to trigger mass infections. The Iframe Injectors can either be standalone tools or embedded components as a part of the botnets. We discuss the classification of Iframe Injectors and dissect a number of existing tools to understand their functionalities and how they are deployed effectively.
Iframes are inline frames, which are HTML objects that are embedded in a web page to fetch content (HTML or JavaScript) from a third-party domain. The content is treated as a part of the primary web page and is served when that web page is accessed. This is a known HTML functionality and is heavily used for content sharing among multiple domains. However, attackers abuse this functionality in multiple variants of drive-by download attacks as a part of massive iframe infection campaigns. An attack starts with a malicious domain that hosts malware. The attackers then embed a URL referencing the malware in an iframe and place that in a compromised website (or any other self-managed website). Users are then coerced into visiting the web page that has the iframe embedded in it. When the user visits the page, the malware is fetched from the malicious domain and the end-user system is infected.
For complete details, the paper is available here: https://www.virusbulletin.com/virusbulletin/2016/10/tao-automated-iframe-injectors-building-driveby-platforms-fun-and-profit/
PDF is available here: https://www.virusbulletin.com/uploads/pdf/magazine/2016/VB2016-Sood-Bansal.pdf
