Legitimate code on websites and false positives

An exploit pack, better known as exploit kit, is a type of software developed with malicious purposes. It contains several known exploits targeting different applications and may contain as well zero days. The latter are specially appreciated, and make the exploit kit be very valuable and profitable in the underground market. It’s main aim is to infect victim machines in order to turn them into zombie computers -which operate as part of a botnet- or other malicious purposes. There is a high demand in the underground market for this kind of software which require almost not technical knowledge to be launched. Configuring it is not more difficult than a wordpress installation, and it can be managed through his web interface.

Example of an exploit kit panel showing infection stats by browser


However, just buying an exploit kit in the underground market and installing it is not enough to infect victims. One of the keys tasks to do is attracting traffic to the site hosting the exploit kit. This can be achieved with black hat SEO techniques, or directly injecting iframes and scripts tags in legitimante websites than have been compromised, pointing this way to the exploit kit web site by the technique known as drive-by download. Subsequently, the chances of a legitimate site being penalized by malware monitoring systems in browsers will be very high. But, what ‘s the purpose of all this information?

One of the features most commonly observed in the html code of this infected websites is the injection of iframe or script tags after the html close tag.


The standar for the script element says:

“The SCRIPT element places a script within a document. This element may appear any number of times in the HEAD or BODY of an HTML document.”

Finding a script or iframe element after the close html tag raises the alarm, and many URLs analysis engines will give high importance to this situation, leading even to false positives for legitimate websites. It has been proved that some well known sites keep this bad habit due to their own ignorance or because of third party widgets.

As long as you can, avoid this bad practice if you don’t want to have an unpleasant surprise.

Emilio Casbas
S21sec e-crime

Deja un comentario