About HTML:iframe-inf

By Stephen Byron Cooper

HTML iframe-inf is a malicious software program, or malware, that affects WordPress websites. This malware didn't have a name when it came out sometime in 2010, so it was named HTML iframe-inf by the Avast Anti-Virus system. It may also be called HTML:iframe-inf or HTML/iframe-inf.


HTML iframe-inf mainly infects WordPress websites. WordPress is a blogging tool and contains a standard directory structure and standard file names for each site that implements it. This identical structure enables HTML iframe-inf to automate its attacks, because it is guaranteed that the files it wants to alter are in the same place and have the same name on every site implementing WordPress.


The code that makes up Web pages is formatted in HTML. The Hypertext Markup Language dictates the layout of a Web page through a series of tags. Iframe is an HTML tag. Web pages often contain content stored in many different files and iframe enables the content of a different file to be inserted into the main body of a page. It marks out a box that acts as a window. All that box contains in the file is the location of the file containing the contents of the box. When the Web page transfers to a Web browser, the browser reads the iframe instructions, fetches the file and inserts its contents. The source file for iframe does not have to be from the same site. HTML iframe-inf displays pages from advertising sites in the body of WordPress sites.


None of the anti-virus companies have detailed the precise workings of the malware. However, affected WordPress users have reported on the malware's behavior in order to find solutions for removing it. The malware injects code into HTML files and PHP files in a WordPress site. Users report that even when they delete the infected files and upload new versions, the injected code returned. Users who change their FTP password and delete and re-install their FTP client report that this ends the infection. Overwriting the infected file rather than deleting and reloading it also seems to work. This implies that the malware is an automated process that uses FTP to log in to a list of sites and re-install its versions of the files. It also shows that the first phase of the malware acquires the FTP password for the website.


A WordPress implementation creates files with specific names and the blog owner cannot change these names. Therefore, the site will always be vulnerable to this malware. The files it injects code into are: index.php and wp-config.php in the root directory; index.php in the wp-admin directory; index.php in the wp-contents\yourtheme\ directory and default-filters.php in the wp-includes directory. A policy that regularly changes the FTP password for the site will also help reduce the possibility of infection.