CNET stops IFRAME site attacks - who's next?
By Alex Zaharov-Reutt
Monday, 10 March 2008 13:59
Page 1 of 2
So, what is an IFRAME? An IFRAME is an HTML 'Inline Frame', with a frame being described by the W3C this way:
"HTML frames allow authors to present documents in multiple views, which may be independent windows or subwindows. Multiple views offer designers a way to keep certain information visible, while other views are scrolled or replaced. For example, within the same window, one frame might display a static banner, a second a navigation menu, and a third the main document that can be scrolled through or replaced by navigating in the second frame."
An IFRAME attack is an IFRAME that injects malicious code onto web pages which usually redirects you to a third-party website, one that is sending you exploits or drive-by downloads, examples of which can be seen further in this article.
In Danchev’s CNET IFRAME post, he noted that: “[An] IFRAME campaign [is] targeting several more CNET Networks' web properties besides ZDNet Asia, namely, TV.com, News.com and MySimon.com which I'll assess in this post.”
Danchev noted that: “In the time of posting this, no other CNET sites are involved in the campaign, including ZDNet's international sites such as, ZDNet India, ZDNet U.K, and ZDNet Australia, but the abovementioned ones. And so, we have three more sites part of CNET Networks' portfolio, getting injected with more IFRAMEs, abusing their search engine's local caching, and storing of any keyword feature, in a combination with a loadable IFRAME.”
Danchev continued that: “What has changed for the past 24 hours, despite that the now over 51,900 pages at zdnetasia.com continue to be indexed by search engines? The folks at ZDNet Asia have taken care of the IFRAME issue, so that such injection is no longer possible.”
Explaining what hackers from the Russian Business Network were trying to do through people caught by the IFRAME attack, Danchev said that: “However, the same IPs used in this IFRAME campaign, including two new domains introduced have been injected, and are loading at TV.com, News.com and MySimon.com, again pushing the rogue XP AntiVirus, the rogue Spyshredderscanner, as well as another fake codec MediaTubeCodec.exe, hosted and distributed under two new domains.”
The use of malware named as ‘XP AntiVirus’, Spyshredderscanner and the fake codec are clear attempts by the ‘bad guys’ to fool unsuspecting users into believing the new software they have loaded onto their computers is actually useful, while being a clear scam.
In a follow up article, Danchev notes that the sites owned by CNET have now been secured from the IFRAME attacks, saying: “More news coverage follows regarding the now fixed, injection of IFRAMEs at high page rank-ed sites owned by CNET Networks, in fact Symantec's Internet Threat Meter monitor for web activities rated it medium risk, and urged extra caution”.
Please read onto page 2 for more.
IT Institute industry certifications earn you credit towards our MBA or Master Degree qualification with Charles Sturt University. Click 
