Defence Against Iframes compromised Websites

General Topics
1

Hi malware fighters,

Defence Against Iframes compromised Websites

Immediate action can be taken to prevent iframes code compromised websites from executing the code within iframes by the following procedure -

In internet explorer navigate to - Tools - Internet Options - Security Tab - Custom Level

Under Miscellaneous

Launching programs and files in an IFRAME - DISABLE

Navigate sub-frames across different domains - DISABLE

Defence against Hacking / Virus attacks in General

The defence for servers is to ensure ftp access is highly restricted, as well as maintaining up to date anti-virus, mod security and secure permissions as well as server script monitoring that flags any changes to site system files.

The defence for desktops is to ensure that good anti-virus and anti-malware software is installed such
as avast,

polonus

2

I have both of those set to Prompt as there may be occasions that it is a legitimate option/use

3

Hi malware fighters,

For Firefox consider this: http://techpaul.wordpress.com/2008/09/27/block-iframe-for-added-protection/
Webmasters read: http://eisabainyo.net/weblog/2009/04/06/iframe-injection-attack/
Webmasters could use this code to block


<SCRIPT>
var gCurrentURL = document.location.href;
</SCRIPT>
// Function called by BODY onunload() event.
function onBodyUnload()
{
// This prevents the URL change by resetting the document
// document.location.href property to the current URL.
// This is where I would put the logic, if I knew how, to prevent the
URL
// change if an "untrusted" IFrame tried to change the top level URL.
document.location.href = gCurrentURL;
}

polonus

4

Hi malware fighters,

The following is related: http://scriptasylum.com/tutorials/encdec/encode-decode.html
I give you an example of escape code:
First the code as everyone can interpret:

<script language="javascript">//initiate
var newButton = document.createElement('toolbarbutton');
newButton.id = 'save-button';
newButton.className = 'toolbarbutton-1';
newButton.tooltipText = 'Save Page As...';
newButton.style.listStyleImage = 'url(data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABAAAAAQBAMAAADt3eJSAAAAFXRFWHRDcmVhdGlvbiBUa
W1lAAfVCRIVOSsU8yxIAAAAB3RJTUUH1QkSFhMNftI4tAAAAAlwSFlzAAAK8AAACvABQqw0mAAAADBQT
FRFAACAgID%2FwMD%2F%2F8D%2FAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAVq6rZQAAAAR0Uk5T%2F%2F%2F%2FAEAqqfQAAAAwSURBVHjaYzCGAgYDBjBgZjAQUAICRhgDUwQ7QxCkWxDEAAOYCExKECvDGGYpzBkATF
IKlokMJsgAAAAASUVORK5CYII%3D)';
newButton.setAttribute('command', 'Browser:SavePage');

//place the new button
var homeButton = document.getElementById('home-button');
homeButton.parentNode.insertBefore(newButton, homeButton); //create Save This Page
//button on the left of
//Home button
</script>

Now here follows the escaped code:

%3C%73%63%72%69%70%74%20%6C%61%6E%67%75%61%67%65%3D%22%6A%61%76%61%73%63%72%69%70%74%22%3E%2F%2F%69%6E%69%74%69%61%74%65%0A%76%61%72%20%6E%65%77%42%75%74%74%6F%6E%20%3D%20%64%6F%63%75%6D%65%6E%74%2E%63%72%65%61%74%65%45%6C%65%6D%65%6E%74%28%27%74%6F%6F%6C%62%61%72%62%75%74%74%6F%6E%27%29%3B%0A%6E%65%77%42%75%74%74%6F%6E%2E%69%64%20%3D%20%27%73%61%76%65%2D%62%75%74%74%6F%6E%27%3B%0A%6E%65%77%42%75%74%74%6F%6E%2E%63%6C%61%73%73%4E%61%6D%65%20%3D%20%27%74%6F%6F%6C%62%61%72%62%75%74%74%6F%6E%2D%31%27%3B%0A%6E%65%77%42%75%74%74%6F%6E%2E%74%6F%6F%6C%74%69%70%54%65%78%74%20%3D%20%27%53%61%76%65%20%50%61%67%65%20%41%73%2E%2E%2E%27%3B%0A%6E%65%77%42%75%74%74%6F%6E%2E%73%74%79%6C%65%2E%6C%69%73%74%53%74%79%6C%65%49%6D%61%67%65%20%3D%20%27%75%72%6C%28%64%61%74%61%3A%69%6D%61%67%65%2F%70%6E%67%3B%62%61%73%65%36%34%2C%69%56%42%4F%52%77%30%4B%47%67%6F%41%41%41%41%4E%53%55%68%45%55%67%41%41%41%42%41%41%41%41%41%51%42%41%4D%41%41%41%44%74%33%65%4A%53%41%41%41%41%46%58%52%46%57%48%52%44%63%6D%56%68%64%47%6C%76%62%69%42%55%61%0A%57%31%6C%41%41%66%56%43%52%49%56%4F%53%73%55%38%79%78%49%41%41%41%41%42%33%52%4A%54%55%55%48%31%51%6B%53%46%68%4D%4E%66%74%49%34%74%41%41%41%41%41%6C%77%53%46%6C%7A%41%41%41%4B%38%41%41%41%43%76%41%42%51%71%77%30%6D%41%41%41%41%44%42%51%54%0A%46%52%46%41%41%43%41%67%49%44%25%32%46%77%4D%44%25%32%46%25%32%46%38%44%25%32%46%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%41%56%71%36%72%5A%51%41%41%41%41%52%30%55%6B%35%54%25%32%46%25%32%46%25%32%46%25%32%46%41%45%41%71%71%66%51%41%41%41%41%77%53%55%52%42%56%48%6A%61%59%7A%43%47%41%67%59%44%42%6A%42%67%5A%6A%41%51%55%41%49%43%52%68%67%44%55%77%51%37%51%78%43%6B%57%78%44%45%41%41%4F%59%43%45%78%4B%45%43%76%44%47%47%59%70%7A%42%6B%41%54%46%0A%49%4B%6C%6F%6B%4D%4A%73%67%41%41%41%41%41%53%55%56%4F%52%4B%35%43%59%49%49%25%33%44%29%27%3B%0A%6E%65%77%42%75%74%74%6F%6E%2E%73%65%74%41%74%74%72%69%62%75%74%65%28%27%63%6F%6D%6D%61%6E%64%27%2C%20%27%42%72%6F%77%73%65%72%3A%53%61%76%65%50%61%67%65%27%29%3B%0A%0A%2F%2F%70%6C%61%63%65%20%74%68%65%20%6E%65%77%20%62%75%74%74%6F%6E%0A%76%61%72%20%68%6F%6D%65%42%75%74%74%6F%6E%20%3D%20%64%6F%63%75%6D%65%6E%74%2E%67%65%74%45%6C%65%6D%65%6E%74%42%79%49%64%28%27%68%6F%6D%65%2D%62%75%74%74%6F%6E%27%29%3B%0A%68%6F%6D%65%42%75%74%74%6F%6E%2E%70%61%72%65%6E%74%4E%6F%64%65%2E%69%6E%73%65%72%74%42%65%66%6F%72%65%28%6E%65%77%42%75%74%74%6F%6E%2C%20%68%6F%6D%65%42%75%74%74%6F%6E%29%3B%20%2F%2F%63%72%65%61%74%65%20%53%61%76%65%20%54%68%69%73%20%50%61%67%65%0A%2F%2F%62%75%74%74%6F%6E%20%6F%6E%20%74%68%65%20%6C%65%66%74%20%6F%66%0A%2F%2F%48%6F%6D%65%20%62%75%74%74%6F%6E%0A%3C%2F%73%63%72%69%70%74%3E%0A

As the above example is for a security code (nothing malicious there of course), one could imagine how this encoding technique could have been used for an Iframe injection attack. You can also follow some information here: http://www.softpanorama.org/Malware/Malicious_web/malicious_iframe_attack.shtml The link maybe quite outdated, but the info is still valid for the larger part,

pol

5

Looks like MS anticipated you, polonus. The defaults in IE7 on Windows XP SP3 are:

Launching programs and files in an IFRAME - Prompt
Navigate sub-frames across different domains - Disable

The defence for desktops...

I use the default security settings and run IE7 in Sandboxie.

6

Hi Alan Baxter,

Right there with the appropriate information, as always. Thanks, Alan, for summing it up,
so all better to adjust their settings as you give them here,

Damian