Mass infection of Websites

Drive-by-downloads that use exploits to infect the visitor of a website are a very popular distribution method for malware authors. In the last days we detected thousands of websites which are infected with a hidden, invisible iframe.

Searching for similar iframe infections shows that Google lists about 47,300 hits.

The target server and script this iframe points to are currently offline; the injection scripts of the malware authors may be inactive at present. Some of these infected sites had a more than one iframe injected into them though. They were infected with three or more scripts which all point to Russian servers.

This looks like a mass infection of websites which are created with a certain content management system (CMS). Usually, such mass infections are done with so-called SQL injections through security holes in these CMSes. Website administrators should always take care to have the latest version of their CMS and the needed scripting languages like PHP and Perl installed so that such mass SQL injections don’t have a chance.

The malware authors didn’t take the effort to properly track their infections, as the observation of multiple injections with the same iframe show.

Avira is protecting from such infected websites proactively: the anti-malware solutions detect them with a generic detection routine as HTML/Infected.WebPage.Gen2.

Thomas Wegele
Virus Researcher