

Malware injected into legitimate JavaScript code on legitimate websites - seminatore
http://nakedsecurity.sophos.com/2013/02/13/malware-javascript/

======
masswerk
The article is rather confusing than informative. JS is not the vector of
attack. The server must have been attacked and compromised by other means and
code must have been inserted into any of the files or templates served. Also,
JS engines are quite safe by now, so the script could be used to track user
activities on the affected page, but would probably not compromise the user's
machine. (Also it could be used to inject any content exploiting a known or
zero-day exploit of a plug-in like Reader, Flash Player, or Java, but this
wouldn't be genuine to JS, but rather to any type of server-side injection.)

------
brokentone
There is nothing new or relevant about this post, and it is terribly explained
(was the distinction between JS and Java really necessary?)

I've dealt with these a number of times in the past. Generally they involve a
frontend exploit as described, but also a backend backdoor, so that even if
the exploit is removed, they can reinfect. Both sets of code are often
obfuscated then eval'd to run. Two stories: 1. I worked with a custom CMS
infection once where someone infected every single PHP file with a combo
frontend exploit + backdoor, just by checking to see if the function was
already defined, then defining it if not. 2\. With WordPress, someone included
some relatively benign code that looked to be doing thumbnail manipulation,
but it was actually reading malicious code out of a .ico file and evaling it.
Took a while to find.

------
0x0
The article mentions the email listed in WHOIS gave an error. Isn't there some
kind of rule that WHOIS contact information must be accurate? Would it be
useful to consider trying to get the domain pulled - that would certainly get
the attention, no? And perhaps set a precedent for others keeping the
information current, too.

~~~
k3n
Possibly, but there's also a physical address listed on the WHOIS record, and
if that is the actual address of the contact then it'd probably be tough to
move forward on those grounds.

But this is kind of getting into the entire CISPA issue: who, if anyone, has
the right to take a site offline? How are they empowered (elected/appointed,
federal/international, etc.)? What types of sites, if any, should be taken
down? On what grounds and under which due process?

Using this scenario as an example would be scary; Sophos, a for-profit
corporation, is saying that some other company has some threat of unspecified
impact. I'm not saying that Sophos would do anything malicious, but I do think
there could arise conflicts of interest when you consider their products.

------
ChuckMcM
This isn't surprising, the #1 search we get at Blekko by robot (aka
programattic) sources is to find pages with unpatched Javascript or PHP bugs.

------
meaty
I've seen this before on a couple of shared web hosts. There was previously a
multi-language (javascript and php) worm which did the rounds through a few
things a while ago. It put me right off using shared hosting.

------
k3n
Title is inaccurate and exceedingly sensational, and the article reads like it
was written by a member of Sophos' sales team.

