Iframe
Name
Iframe
Detection names
Sophos Mal/Iframe-F, Mal/Iframe-W, Mal/Iframe-V
Kaspersky Trojan-Downloader.HTML.IFrame.aes, Trojan.JS.Iframe.yf, Trojan-Downloader.JS.Iframe.chf
Avira HTML/Infected.WebPage.Gen, JS/Crops.A, HTML/IFrame.gos.1
McAfee JS/IFrame.gen, Exploit-IFrame
Trend Micro HTML_CLICKR.SMB, HTML_AQUAR.RUI, Mal_Hifrm-3
Microsoft Exploit:HTML/IframeRef.E, Trojan:JS/Redirector.HC, Exploit:HTML/IframeRef.V
Symantec Trojan.Maliframe!html, Trojan.Malscript
Affected OS or software
Web browsers
Basic description
Iframe malware usually consists of a small addition to a legitimate webpage. The addition is usually invisible to the normal user of the page in that it does not affect the visual appearance of layout of the modified webpage. Malicious iframes usually cause the web browser to load additional, malicious content. As such they are used as the first step in the delivery chain for many different types of malware.
Related links
Hide and seek with site injections
Other iframe articles on Naked Security blog
Patches
None
Sophos technologies
Malicious iframes are delivered via web browsers, so the principal lines of defense against them are web filtering technologies such as those used in the Sophos Web Protection appliances and the web protection technology in Sophos Endpoint Protection.
Technical description
Iframes are a mechanism that allows for one webpage to be embedded within another. Online criminals can abuse this technology to embed their malicious pages within otherwise harmless websites.
The malicious iframes are usually configured to be unnoticed or invisible to the user of the site. This can be done in a number of ways, such as configuring the frame to be very small, using HTML style attributes to make the frame hidden, or positioning the iframe outside the normal viewing area of the site, for example far off the the right.
The malicious iframe may be added directly to the source code of the infected webpage or may be generated when the page is viewed using malicious scripts embedded in the page. The use of scripts rather than embedding the iframe directly allows attackers to obfuscate the changes they make to the infected page.
A malicious iframe is typically the first link in a chain of web-based scripts and redirections that takes the browser to a site controlled by attackers. The last site in the chain may contain an exploit kit such as Blackhole, which launches attacks against the browser or its plugins to deliver a malware payload.