Trojan:JS/Iframe.BS

Trojan:JS/Iframe.BS is a detection for a trojan that redirects your browser to other sites. These sites may attempt to download and install malware onto your computer, often by exploiting software vulnerabilities.

Make sure you install all available updates for your computer to help prevent the downloading of additional malware. For more information on updating software, including Java, Adobe and Microsoft products, please see the Additional information section in this entry.

This trojan is a malicious JavaScript file that creates a hidden IFrame. The JavaScript file is embedded into compromised webpages, usually via SQL injection or through Blackhat search engine optimization (SEO) poisoning.

Installation

When you visit a website that contains Trojan:JS/Iframe.BS, your browser is redirected to another website that may download malware onto your computer. The malware could be any of the attacker's choice, and is typically downloaded onto your computer by exploiting software vulnerabilities.

Payload

Redirects webpages

In the wild, we have observed Trojan:JS/Iframe.BS redirecting to a large list of malicious URLs, including the following:

• hxxp://66.206.15.13/chairachieve/news.php
• hxxp://brisbanetaxagent.com.au/SpryAssets/i.php
• hxxp://ebook.yellowpages.vn/2012/template.php
• hxxp://fetucxo.ru/count27.php
• hxxp://filmfan.com.pl/magpierss/system.php
• hxxp://finanse.szczesliwa13.com.pl/instalator/news.php
• hxxp://fvzex80.info/in.cgi?7
• hxxp://gerasdertyetr.at.nr/main.php?page=71981a2402a78726
• hxxp://hartmann-design.net/filemanager/a.php
• hxxp://info.szczesliwa13.com.pl/obrazki/news.php
• hxxp://informacje.szczesliwa13.com.pl/ads/faq.php
• hxxp://komputer.szczesliwa13.com.pl/tmp/faq.php
• hxxp://kycufvy.ru/count26.php
• hxxp://motofan.net.pl/lightbox/state.php
• hxxp://pavilionatboxhill.com.au/temp2/capcha.php
• hxxp://szymonkoscielniak.com/Scripts/index.php
• hxxp://www.andreamartina.info/images/news.php
• hxxp://www.dreameronline.de/image_news/p.php
• hxxp://www.grezzagoequitazione.com/cgi-bin/b.php
• hxxp://www.prolococamigliano.it/modules/template.php
• hxxp://www.scuolaartedanza.net/wp-content/a.php
• hxxp://www.stefanocalo.it/J_1.5.22/c.php
• hxxp://yankeeyiddos.com/media/index.php

Additional information

Software vulnerabilities are fixed through the application of updates or patches from the software manufacturer.

The best way to protect your computer from exploits is to ensure that the versions of your software are up-to-date. Follow these links for more information on updating software that is commonly targeted by malware:

• Microsoft Malware Protection Center - Updating Software
• Java updates
• Adobe updates (Acrobat, Reader, Flash, Shockwave)
• Microsoft updates via the Microsoft Update tool (including Windows, Office, and Internet Explorer)

Analysis by Patrick Estavillo