Security 10808 Published by

For at least nine months, the Darkleech malware is believed to have injected invisible iFrames that link to malicious web pages into thousands of web sites.



From The H:
Darkleech uses an Apache module to inject invisible iFrames into web pages; the iFrames link to malicious sites where visitors can potentially have their systems compromised using the Blackhole exploit kit. The Blackhole kit uses a number of exploits and generally targets security holes in Oracle's Java, Adobe Flash and Reader, and other popular plugins. There are, historically, plenty of these holes and many users run without up-to-date plugins. One recent study by WebSense estimated that only one in twenty browsers with Java installed has a current version.

Darkleech uses a very subtle approach to hijacking its victims; the iFrames are dynamically generated by an Apache module when an infected site is visited. Web administrators find this difficult to detect because the web site's own source code remains untouched. Certain IP addresses won't be injected with iFrames though, and will be blacklisted instead – visitors from security and hosting firms are ignored, as are recently attacked users, various browsers and bots, and those accessing via search from a number of search engines or sites.
  Darkleech infects scores of Apache servers