Threat Research

Would you like an iframe, sir?

Michal Krejdl, 19 March 2010

Would you like an iframe, sir?

Yesterday, when I was about to get something to eat, my attempt to check a menu online ended up with a warning about HTML:Iframe-LZ. Well, that's quite spicy content of common daily offer. So, let's look what's under the hood.

Starter: a piece of JavaScript at the end of page - served in a nicely roasted layer of obfuscation, really delicious.

Main course: you can choose either a speciality of Chinese cuisine delivered by hxxp:// (it's fortunately down already) or a Russian saschlik that contains some popular ingredients (such as google, classmates or linkhelper) in following order - hxxp:// 8080/ (also down already, but these two links belong to a Gumblar system).

Dessert: a nice little snippet to carry the execution of all the malcode.

Anyone else hungry out there? :-)