IFRAME injection attack and protection "multiple graphs" in PNG image metadata

We've been trying to keep up with the latest trends in the lead, and today we found a very interesting thing that either we didn't see or just happened. We can only say that this is a new discovery.

We all know about the IFRAME injection attack, right?

Understanding an IFRAME Injection

Today's IFRAME is a very standard HTML tag, and it's a simple way to embed other Web content in your own web page. Used by almost all browser support and millions of websites, using AdSense? Then there is an IFRAME in your website.

I know it's a good thing, but it's always a blessing.

Today's attack, especially when we talk about passing downloads, is preferred by using an IFRAME tag. It is simple and convenient, only simple property modification, the attacker can safely embed code from another site, and through the client's browser unknowingly loading.

Like this:

Attackers typically embed malicious files from other Web sites, usually a php file or similar form. Of course, this is not the only way, but it is the most common. From the point of view of detection and repair, this is often easy to fix.

New method of IFRAME injection

Today, however, we find an interesting type of IFRAME injection.

What's special about it is not what it embeds in the IFRAME tag, but how it distributes the malware. You will see that the attacker hides the threat in the PNG file.

I can almost hear a lot of your chuckle, PFF. This is not a new .... But the problem is in the details of my friend.

As follows, the IFRAME loads a valid file, nothing malicious, a JavaScript file called Jquery.js. It all looks good. You have to look carefully:

At first, many people would say we are stupid. These codes are good, don't see any problems, right? Then we noticed this little function, LoadFile (). The function itself is not strange, but in fact it is loaded with a png-var strfile = './dron.png. You'll be amazed by it, it's a real black hand.

Naturally, the next step is to be curious to open the Dron.png file. Is there anything terrible going to happen?

Oh, nothing, it's so boring, it's sheer waste of time.

But wait a minute, I find there's an interesting little loop here.

Well, it's really weird, it's a decoding loop. Why do I need a loop to decode the PNG file?

As an excellent researcher, take the easiest way I can load it onto a simple test page and extract the image content. Get!

After loading it on the test page, we obtained the strdata variable:

Do you see what it's doing?

It does an IFRAME injection and embeds it in the PNG metadata, like a new allocation mechanism.

There are two points to pay special attention to, it uses createelement to do an IFRAME tag, and then set the Elm.style.position.left and Elm.style.position.top properties of the value of -1000px, Place the IFRAME outside the viewable area. These values are negative and are not visible in the browser. But you know who can see it? Only browsers and Google can see it. This is a small trick to download drivers and search engine infection (SEP) attacks.

Finally, we found the real threat in the ELM.SRC element.

What's the use of being so unique?

It tries to hide the real threat level is unique. Today's antivirus software does not decode image metadata until the JavaScript file is loaded and stops scanning. Does not track cookie files, which is great for attackers, making them hard to spot.

Remember that while we're talking about PNG files here, these methods and concepts can also be applied to other types of images. It is important to keep an eye on your Web service status, understand what changes and unmodified files are available, and make sure that the vulnerabilities are not exploited.

Under normal circumstances, some new detection and troubleshooting needs a certain amount of time. Can our site malware scanners find it now? That's absolutely OK!