NEWS FROM THE LAB - Wednesday, April 2, 2008

You've Been IFramed Posted by Ian @ 11:09 GMT

Injected IFrames into legitimate sites are becoming more and more common. One of the latest targets is a Chinese government site at www.zhangzhu.gov.cn.


Please note that while the site administrators have been notified, the injected IFrame is still present on the site at the time of this posting.

The IFrame downloads a page from another Chinese site that redirects the browser to a .com site — that contains tons of new IFrames.

The end result of this IFrame jungle is that exploits attempt to download executables to the user's computer:


Both of these files are already detected as Trojan-Downloader.Win32.Small.SUU by our latest database updates.

Drive-by-downloads are getting more sophisticated nowadays with this case as an example using several exploits including MDAC and Real Player exploits.

As always, remember to practice safe computing even when on familiar grounds, lest you find yourself IFramed.

Updated to add — Breaking News: Turns out that sony.com.cn seems to have similar IFrame's added to some of its pages as well. We have been in touch with Sony and CERTs on this.