iFrame attacks surge, security firm says

A flood of SQL injection attacks on Microsoft Internet Information Servers are leaving Web pages with malicious iFrames in them, and Panda Security is urging network managers to make sure their Web pages haven't been infected.

Panda says the number of infected Web pages spiked to 282,000 in the past day, and appears to be growing. Network managers can check to see whether their Web pages are infected with the iFrame code by looking for a specific code string in the source code of the Web page associated to an iFrame tag. The string is <script src=http://www.nihaorr1.com/1.js>, according to the security vendor.

If detected, this string should be eliminated immediately, says Panda, which adds that new strains of malicious code as yet unrecognized may be resident also. Panda is urging Web-site managers to check to see whether their Web pages are being manipulated and is offering a free scan at its Infected or Not? site.

"It appears to have started yesterday with these SQL injection attacks," says Ryan Sherstobitoff, Panda's chief corporate evangelist. There's ongoing research into the problem, the source of which may trace back into Eastern Europe or Russia, he says.

Neither Panda nor any other security firm Sherstobitoff is aware of has identified the exact vulnerability in IIS that is the attack route for injection of the malicious iFrame, although suspicions center on a vulnerability described in an April 17 Microsoft Security Advisory (951306) for which there is not yet a defined patch or other fix. 

Malicious iFrame attacks have seen widespread growth over the past several months. Attackers embed the iFrame code in Web pages to redirect victims to sites for purposes of fraud or other criminal conduct.