Malware injected into legitimate JavaScript code on legitimate websites

Javascript. Image from ShutterstockAs recently mentioned in the Sophos Security Threat Report, 80% of the websites where we detect malicious content are innocent sites that have been hacked.

A trend that we have observed is that hackers will insert their malicious code into legitimate JavaScript (not to be mixed up with Java!) hosted on the website.

The JavaScript is automatically loaded by the HTML webpages and inherits the reputation of the main site and the legitimate JavaScript.

In other words, if a user’s anti-virus software did display an alert about malicious content, it might be shrugged off as a false positive and blamed on an unreliable detection of a legitimate piece of JavaScript code.

Recently SophosLabs has seen a flurry of detections of Troj/Iframe-JG on legitimate websites, including:

  • Primary School websites in England
  • Small community websites in Italy
  • A nightclub website in London
  • The website of an East African nation’s TV company
  • The website of trade association of Financial Advisors in the US

One affected website that I tried to contact was that belonging to the headphone manufacturers Fanny Wang.

Fanny Wang website

Unfortunately the company never responded to messages I posted via their site, and the listed Whois contact email address gave me an error.

Here is a sneak peek into what the SophosLabs web-malware analysis systems see when we examine the Fanny Wang website.

Analysis of Fanny Wang website

The expert web-malware analysis systems inside SophosLabs don’t just scan content with public-facing detection routines (Troj/Iframe-JG), but also technology purely for the use of our researchers. This explains the Guru/Iframe-I detection, which you won’t ever see outside of our labs.

The actual malicious code should be easily spotted (and cleaned) by the web developer as the fake Twitter iFrame has been inserted at the start of some legitimate JQuery code.

Inserted code

SophosLabs has yet to hear back from the other organisations that we have informed about this attack, so it is not yet clear how the code injection was perpetrated.

The fact that the jQuery version being used in the above example is version 1.2.6 dates from 2008, and that the current release is version 2.0.0 suggests that the site may have not been patched or updated for quite some time.

Clearly it’s essential for websites to be properly defended, or they will continue to fall victim to attacks such as this.

One of the key things that anyone – whether as an individual or working on behalf of a company – needs to consider when setting up a website, is how to choose a good hosting provider from the security point-of-view.

Update: Although Fanny Wang appears to have cleaned up parts of its website, its pages continue to carry active malicious code. If you’re going to pay the site a visit, it’s probably worth ensuring you have some sort of real-time web protection running on your PC or in your browser.

Website script image from Shutterstock.