Malware injected into legitimate JavaScript code on legitimate websites

Filed Under: Featured, Malware, Security threats, SophosLabs, Vulnerability

Javascript. Image from ShutterstockAs recently mentioned in the Sophos Security Threat Report, 80% of the websites where we detect malicious content are innocent sites that have been hacked.

A trend that we have observed is that hackers will insert their malicious code into legitimate JavaScript (not to be mixed up with Java!) hosted on the website.

The JavaScript is automatically loaded by the HTML webpages and inherits the reputation of the main site and the legitimate JavaScript.

In other words, if a user's anti-virus software did display an alert about malicious content, it might be shrugged off as a false positive and blamed on an unreliable detection of a legitimate piece of JavaScript code.

Recently SophosLabs has seen a flurry of detections of Troj/Iframe-JG on legitimate websites, including:

  • Primary School websites in England
  • Small community websites in Italy
  • A nightclub website in London
  • The website of an East African nation's TV company
  • The website of trade association of Financial Advisors in the US

One affected website that I tried to contact was that belonging to the headphone manufacturers Fanny Wang.

Fanny Wang website

Unfortunately the company never responded to messages I posted via their site, and the listed Whois contact email address gave me an error.

Here is a sneak peek into what the SophosLabs web-malware analysis systems see when we examine the Fanny Wang website.

Analysis of Fanny Wang website

The expert web-malware analysis systems inside SophosLabs don't just scan content with public-facing detection routines (Troj/Iframe-JG), but also technology purely for the use of our researchers. This explains the Guru/Iframe-I detection, which you won't ever see outside of our labs.

The actual malicious code should be easily spotted (and cleaned) by the web developer as the fake Twitter iFrame has been inserted at the start of some legitimate JQuery code.

Inserted code

SophosLabs has yet to hear back from the other organisations that we have informed about this attack, so it is not yet clear how the code injection was perpetrated.

The fact that the jQuery version being used in the above example is version 1.2.6 dates from 2008, and that the current release is version 2.0.0 suggests that the site may have not been patched or updated for quite some time.

Clearly it's essential for websites to be properly defended, or they will continue to fall victim to attacks such as this.

One of the key things that anyone - whether as an individual or working on behalf of a company - needs to consider when setting up a website, is how to choose a good hosting provider from the security point-of-view.

Update: Although Fanny Wang appears to have cleaned up parts of its website, its pages continue to carry active malicious code. If you're going to pay the site a visit, it's probably worth ensuring you have some sort of real-time web protection running on your PC or in your browser.

Website script image from Shutterstock.

, , , ,

You might like

18 Responses to Malware injected into legitimate JavaScript code on legitimate websites

  1. guest · 965 days ago

    How can users avoid getting hit by these? Is uninstalling Java from the Programs control panel in Windows sufficient or is there something else that should be done?

    • Repeat after me:

      Java is not JavaScript. Two quite different things!


    • Ryan · 965 days ago

      Like the article says (perhaps edited in after your comment), Java and JavaScript are not the same thing. JavaScript is parsed and executed by your browser. You can disable JavaScript in most browsers, but that will make A LOT of the Internet inaccessible or unusable.

    • JohnJ · 965 days ago

      These are exploits using JavaScript, not Java, so disabling Java in your browser won't help WRT these problems. That said, disabling Java in the browser is a good idea (along with any other unneeded plugins).

      You can disable JavaScript in your browser's settings, but I imagine you'll find the web surfing experience to be lacking without it.

      (Yeah, having JavaScript & Java be so similarly named is confusing, especially since both are technologies commonly used in browsers)

    • Alex B · 965 days ago

      As it says early in the article, this is to do with "JavaScript (not to be mixed up with Java!)"

      This explains the difference;

      Now while that item says that Java is the risky bit of software and there's no need to disable JavaScript, this exploit suggests it may be just as wise to disable JavaScript too!

      Doing so will likely harm your whole browsing experience though.

      In Internet Explorer it is disabled from the Security tab of Internet Options.
      On the Security Tab click on the button "Custom level…" this opens a settings dialog.
      Scroll down to the Scripting Section
      The first choice is "Active Scripting".
      Click on the "Disable" radio button.
      Click OK until all dialogs are closed.
      Now you have JavaScript disabled, you'll probably be asked to close and reopen the browser to activate that change.

      Lot's of good guides online on how to disable JavaScript in other browsers.

  2. artfrankmiami · 965 days ago

    would the file by that name just be sitting in my webpage directory somewhere?

    • It's being injected into existing .js files; the best thing to do is run revision control over your webpage directory and see if there are changes that have been made. If you have no revision control/backup review mechanism for your web page, it would be a good idea to implement it.

  3. I've been noticing this happen on a lot of legitimate sites lately and I'm very curious as to how they're getting infected. I also tried to contact the webmasters and email listed in WHOIS data, but nobody replies. I end up reporting it to malwaredomainlist and other similar sites.

  4. Guest · 965 days ago

    I don't think uninstalling java will do anything as javascript and java are different languages. The best thing you could do is make sure you have anti virus and keep it up tp date along with all other software.

    P.S if anyone thinks i have said anything incorrect please let me know as i study computer science in my spare time away from school.
    I think this is a good sophos video showing this sort of attack

  5. BobM · 965 days ago

    Does Noscript pick up this malware?

    • NoScript allows white-listing JavaScript on a site-by-site basis; since this is loading on what is likely a white-listed site, it won't block it that way.

      NoScript also blocks against cross-site-scripting and other similar attacks -- which are not done here. It's possible that such an attack may run afoul of NoScript's click-jacking protection, but there is no requirement that it does -- the issue here is that malicious JavaScript /of some sort/ has been injected into legitimate pages.

      NoScript is unlikely to catch all possible variants, especially if the attacker has pre-tested the scripts against it.

      • galo · 964 days ago

        NoScript would prevent execution of any script coming from the content of that iframe, if originating from some other domain. So, it is really a shame that author of this article CUT out significant part of screen grab of injected code, preventing readers from understanding what is exactly going on there.

  6. Juan · 965 days ago

    Although I believe when using Windows I dont remember ever get hit by malware - i just login to play my Starcraft 2 hehehehe BUT - have to keep updated a registry monitor, AV, Spybot, SpywareBlaster, Firefox with NoScripts, DiskImaging soft, FreezeThis-Screw-That- u got it?... a lot of work. I always prefer boot on my Linux machine/partition or use my Live-CD/USB

    But the problem here is "trust". do you "trust" that website enough to enter your private info? does that site have a "vulnerabitlity scan" service/seal? does that website have "all pages SSL"?

  7. Patrick · 964 days ago

    They should have "patched" jQuery .. Yeah that would have changed a lot!!!!

    I regulary read your blog but this was by far the worst article I ever read on malware iframes etc. It isn't even news that corrupted websites are embedded with malware in this way...

  8. Trent · 964 days ago

    Good morning

    I have a question. The article mentions "Troj/Iframe-JG", I have I.E. 9 set to "Protected Mode" & I was curious if I have I.E. already have set "Launch Programs & Files in an IFrame" to "Prompt", as long as I select no, would this setting protect me or "Disable"?

    Sorry folks but I'm older, and don't really understand how to set up this pc so these "drive-by" attacks don't infect it.

    I'd appreciate any help on this matter.

    P.S. I do have the latest Firefox installed but don't use it much. Is Firefox able to stop these drive-by attacks? Also, I don't have Java installed although I know this article is JavaScript which is not the same.

    Thanks again.

  9. Now somebody mentioned using a source control system over your web site. I am going to be running a web site based on Sueetie and hosting it myself, so do you guys recommend that I run Murcurial on the server or something and then look for changes to files?

  10. Lacy · 964 days ago

    What is the nature of these attacks? What are they loading? iFrames? Are they attempting to execute system code? What is the present danger? Are they perhaps phishing for account details, such as login credentials and reporting to an external site?

  11. David Spector · 907 days ago

    The root problem here is not with JavaScript. If spammers, and malware and virus makers and users were made illegal, and fined on conviction, and the fines used to pay victims, spam, malware and viruses would wither and die. The solution is not to restrict useful technology, but to make irritating use of it not pay.

    David Spector

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul O Baccas (aka pob) joined Sophos in 1997 after studying Engineering Science at Oxford University. After nearly 16 years, he has left Sophos to pastures new and will be writing as an independent malware researcher. Paul has: published several papers, presented at several Virus Bulletins and was a technical editor for "AVIEN Malware Defense Guide". He has contributed to Virus Bulletin and is a frequent contributor to the NakedSecurity blog.