IFRAME MALWARE is a brand of malicious code that exploits the inline frames of an HTML document. These elements make it possible to embed a web page inside another web page for “nested” browsing experiences. Although useful for keeping the source of these documents separate, the page which loads the external content becomes susceptible to any threats on the opposite server.
Given that it’s possible to load a virus into your server or web hosting environment using the HTML
<iframe> tag, there are, in fact, many legitimate business cases for using it. The most obvious one is the ability to quickly embed and take advantage of outside functionality to enhance the user experience of your own web pages.
But iframe malware enables an attacker to modify these elements to meet their own requirements. Malicious scripts are injected when the content is embedded, which triggers the automatic downloading of web-hosted viruses. In extreme cases, the embedded content may even install a backdoor Trojan.
How Iframe Malware Works
It is important to realize that iframe malware can be triggered in both directions across a network. For the purposes of this definition, we will refer to these approaches as B to A and A to B.
In a B to A implementation, a computer (B) which hosts a resource compromises an external page (A) which embeds it. More puzzling, however, are A to B implementations in which scripts in the embedded page are exploited by the requesting server (A) to compromise the host computer’s environment (B).
B to A Implementation
This is the more common of the two approaches and involves a web page becoming infected with a resident Trojan. Here, it scans the page’s hosting environment for vulnerabilities, which at one point was almost always the Adobe Acrobat Reader application.
By coupling the HTML
A to B Implementation
Ironically, an A to B approach is described as “working in reverse.” Here, the requesting server uses a resource on the hosting computer as a conduit for carrying out an attack. Once the Trojan is installed onto the hosting computer, it, too, begins monitoring web activity.
This can lead to the leakage of usernames and passwords regardless of whether they are saved locally. The Trojan uses this siphoned information with its automated instructions of accessing FTP accounts on the host computer. This, in turn, leads to the infection of important web pages like default.html, index.html and the like.
Detection and Mitigation of IFrame Malware
Commonly known symptoms of computers infected with iframe malware are erratic and unexpected behavior when connected to the Internet, blue screen of death (BSoD) errors, sluggish performance, an influx of spam emails, and intermittent deletion of files and folders.
In addition to using an antivirus (AV) application made specifically for websites, another effective form of detection is by manually scanning your web pages for the presence of
<iframe> tags and accompanying scripts. This is usually an easy task for web administrators, who will know whether an
<iframe> was used in a document to begin with.
Finally, temporarily taking your website offline and deleting any form of configuration which would store your FTP account password in the browser is another effective way to mitigate iframe malware. An even more effective solution is to only tap FTP access through FileZilla and other client software packages.
Click here for further reading on iframe malware.