The TAO of Automated Iframe Injectors - Building Drive-by Platforms For Fun and Profit

(This VB2016 reserve paper will be presented Thursday 6 October at 16:00 in the Small Talks room unless otherwise required on the main programme)

Automated iframe injectors are widely used by cybercriminals to infect hosting servers on a large scale and are sold in the underground community as part of the Crimeware-as-a-Service (CaaS) model and can be acquired as standalone tools or botnet components. They can be used for conducting distributed drive-by download attacks against large sections of Internet users. The tools are used extensively to infect websites deployed using Content Management Systems (CMS) such as Wordpress, CPanel, Plesk, etc. Botnet herders can also rent these tools as a service by selling compromised systems to launch iframe injection attacks against target servers. Iframe injectors have advanced the methods of infecting hosting servers by harnessing the power of an already compromised infrastructure as part of botnet operations, thereby potentially triggering chain infections. Botnets such as Citadel are designed to work in conjunction with automated iframe injectors.

This talk unveils the empirical analysis of real-time automated iframe injectors released on the underground market in the last few years by dissecting the design of real-time variants of iframe injectors. Topics covered in this discussion will include:

  • How these tools are deployed by attackers to build drive-by platforms on the fly.
  • The techniques that can be adopted by researchers and analysts for building logic to detect anomalous traffic generated by these tools.
  • The source code related to multiple variants that will be released to the public for research purposes.
  • Iframe injectors such NiFRamer, ZFramer, Iframe gateway, mod Infector, Northern Iframer, and others will also be covered during this talk.

Click here for more details about the conference.


Aditya K. Sood

Aditya K. Sood (Ph.D.) is the Director of Security and Cloud Threat Labs at Elastica, Blue Coat Systems. Dr Sood has research interests in malware automation and analysis, cloud and application security, secure software design and cybercrime. His work has been featured in several media outlets including Associated Press, Fox News, The Register, Guardian, Business Insider, Kaspersky Threatpost, CBC and others. He has been an active speaker at industry conferences and presented at BlackHat, DEFCON, HackInTheBox, RSA, Virus Bulletin, OWASP and many others. Dr Sood obtained his Ph.D. from Michigan State University in computer sciences. Dr Sood is also an author of Targeted Cyber Attacks, published by Syngress.