This, ” IFrame exploit takes advantage of web site query caching. Web sites often cache the results of search queries that are run locally. These search results are forwarded to search engine providers (think Google or Yahoo), who use the information to generate their own search results. Hackers exploit the system by typing a query immediately followed by the text of an IFrame. This data (including the IFrame) is then passed to various search engines and displayed if a user searches for a relevant keyword. When the user visits an apparently legitimate document, the IFrame activates and attempts to complete whatever instructions it has been given.
The major advantage of an injected attack versus an embedded one is that an injected attack requires no direct access to a web site’s server backend. Instead, it takes advantage of the company’s SEO (Search Engine Optimization) practices and poisons the results that are fed back to web surfers. The first wave of injections targeted ZDNet Asia and torrentreactor.net. The attackers shifted away from these two domains quickly and branched out into other web sites. One key purpose of the attack was to advertise the rogue antivirus product developed by the RBN (Russian Business Network), XP Antivirus.
XP Antivirus is a cute piece of work. On the surface, it seems to be an ordinary anti-virus program, and it makes all the usual claims one would expect regarding its ability to keep a system clean and virus free. Once installed, however, XP Antivirus actually creates a set of registry keys that it will detect and flag as malware installations once a scan is run. The only way to remove these threats from the system, of course, is to buy the XP Antivirus software package. Additional IFrame were eventually added that pointed to downloads for Spyshredderscanner and MediaTubeCodec, both of which attempt to download additional malware into a system.
“Google acknowledged that this was a known attack vector, and confirmed that they are indeed working on ways to manipulate and “sanitize” links provided by them in an effort to minimize the effect of incidents such as XSS on indexed sites. They also share our opinion on the reality of XSS and its affects on web browsing: “Google recommends that sites fix their cross-site scripting vulnerabilities as a priority. These can be abused in a number of ways, including bad interactions with search engines. Google is helping by reaching out to affected organizations. In addition, Google has internal processes to block abuses when the situation warrants.“