Combell Tech: look out for hackers via iframe injection

Hacking, injection, malware and other types of abuse aren’t new phenomena; every Internet user gets confronted to them fairly fast. Moreover, the methods that are used vary and evolve a great deal and, on top of that, they follow trends. Evolution is essential for hackers because they constantly have to outdistance service providers who want to limit the impact of the abuse.

Every hacking attempt now has a specific motive; the era during which prestige was the only motive in underground hacker circles has long since passed. Hackers use their actions to spread a certain message on a large scale. They can be political in nature, but can also serve a purely commercial purpose.

A new trend

The latest trend on the level of Internet-mediated abuse is the injection of iframes in the different files present in hosting packages. These iframes aren’t visible on the website but, in the background, they channel traffic to a given site. This is thus a well thought-out strategy to attract extra visitors to certain sites and, possibly, to gain extra income through Google AdWords.

This hacking method also has 2 supplementary motives:

    To infect your computer via code leakage in Adobe Acrobat
    To access your local passwords

Characteristics

It is fairly easy to recognize this type of abuse. In the source code of the hacked sites, you will always find an iframe of the following form:

Iframe injection

How does this get onto your hosting?

Research has proven that this method does not rest on bad security features: it is not the server or the network that is hacked, but certain accounts on a server. In the past, mostly websites with code leakage were targeted, but now strongly protected websites also fall prey to it.

Apparently, these hackers succeed to retrieve the FTP password of the hosting package in order to gain access. It goes without saying that, this way, the hackers hold the keys to the realm.

How do they get the FTP data?

The true root of the problem is not a hosting problem, but a problem on the computer of the victims. Apparently, the iframes refer you to pages on which tainted PDF files are offered. Through code leakage in Adobe Acrobat, the hackers succeed to place a sniffing tool on your computer, disguised as a seemingly innocent PDF.

On CVE-2008-2992, you can read that what is involved is in fact a “Stack-based buffer overflow in Adobe Acrobat and Reader 8.1.2”. The sniffer that gets installed in that fashion can forward your FTP password to the hackers in question without a problem, which provides them access to your package.

How can you protect yourself from this?

It is difficult for us, the host, to protect you from this type of hacking, since it is your local computer that gets infected. It is important that you replace Adobe Acrobat version 8.1.2 (or older) as quickly as possible and install the latest version immediately.

If you suspect iframe injection on your computer, you should at least undertake the following steps:
Use your virus scanner to neutralize the virus
After the virus has been removed, modify your FTP password as soon as possible
Remove the iframes from your source code

If your site has been blocked by Google, use their Webmaster Tool to be removed from their blacklist.
Customers who have a unique IP on their hosting can send us a request to enhance firewall stringency. Of course, this can only work if you use a fixed IP through your Internet provider. Thus, we will only allow FTP connections originating from your fixed IP and hackers cannot log into your hosting package. This does not prevent your local computer from being infected, though.

Conclusion

Through a combination of injection on the server and infection of your computer, a spiral effect is created that entraps more and more people. Our observations are that the Adobe Acrobat virus only sends through FTP data, but maybe the virus will evolve in the near future, causing even more damage.