JS_IFRAME.HBA

The Sinowal Trojan is a deadly bootkit which can take over an entire computer system, remain completely undetected and steal its victims banking and credit card information. The JS_IFRAME.HBA malicious script is part of a multi-component malware attack designed to install Sinowal on the victim's computer system. In March of 2012, there were a devastating number of cyber attacks in The Netherlands involving the JS_IFRAME.HBA malicious script. Hackers managed to compromise a popular Dutch website, nu.nl. This website is one of the most popular sources for news for Dutch-speaking computer users. The JS_IFRAME.HBA malicious script creates a hidden, malicious iframe which can download malware from a compromised advertisement server or redirect a computer user to an attack website where several security vulnerabilities are exploited in order to attempt infecting the victim's computer with the Sinowal bootkit.

The JS_IFRAME.HBA malicious scripts are several malicious JavaScript scripts injected into this news website that try to take advantage of several known security vulnerabilities in Adobe Acrobat Reader, Adobe Flash and several of the most popular web browsers. Taking advantage of these known security vulnerabilities, the result of the JS_IFRAME.HBA malicious scripts is to install several malicious files on the victim's computer system which, in turn, install other malware, including the infamous Russian bootkit, Sinowal. Since the main point of these kinds of banking Trojan infections is to be as undetectable as possible, these kinds of malware infections often show no symptoms. Because of this, it is important that all computer users that have had recent contact with the nu.nl website run full, thorough scans of their computer systems with a reliable anti-malware tool. It is also important to ensure that your anti-malware scanner is fully updated as of March of 2012, so that it may be able to detect the JS_IFRAME.HBA malicious script before JS_IFRAME.HBA attempts to install malware on your computer system.

An Overview of a JS_IFRAME.HBA Attack

The main problem with trying to obtain details on the JS_IFRAME.HBA malicious script is that it is extremely obfuscated, meaning that criminals have hidden the code so that it appears garbled for malware researchers attempting to analyze it. Another problem with the JS_IFRAME.HBA malicious script is that it is only one link in a chain of other malware, which also includes an exploit kit known as the Nuclear Pack of exploits, an installer for the Sinowal Trojan in the form of a Trojan dropper and the Sinowal infection itself. Thankfully, PC security analysts report that the owners of nu.nl have announced that the problem on their end has been contained and the JS_IFRAME.HBA malicious script removed from their website.