

More Fake jQuery sites - davedd
http://labs.sucuri.net/?note=2012-11-22

======
Hopka
I wonder how the links to these fake sites are injected into the infected
sites in the first place. Is it through some other vulnerability and the fake
sites are mainly needed to make the hack less obvious for a human auditing the
code?

Or do they hope that somebody finds the fake jQuery site on Google or through
a typo in the URL and then includes their fake JavaScript file instead? That
seems unlikely to me.

------
pav3l
>We keep seeing fake jQuery sites popping up and being used to distribute
malware.

Anyone has more info? What kind of malware? I'm assuming client side? Any
0-days? Unsurprisingly, both websites are blocked at where I am.

~~~
leoedin
I think the particularly interesting thing about this isn't the malware in
question, but the vector they're using to distribute it. Almost every HTML
page written in the last 5 years has jquery included somewhere, and so they're
clearly trying to provide a redirection (or script-injection) vector which
would pass a glance over the site code. If you run a website and have a breach
it's worth being aware of during the code inspection you'd have to make.

------
VMG
Previously, jquery.it: <http://news.ycombinator.com/item?id=2734138>

------
leeoniya
a funny one: <http://jqueery.com> \- click around :D

~~~
hfsktr
I thank you very very much for that. Whenever I feel down I know where to get
a laugh. The song just makes it better.

------
Zirro
"window.top.location.href = "httx://www.jqueryc.com"

Is the "httx" a mistake by the malware-authors or Sucuri Malware Labs? I find
the second option more likely.

~~~
jimwhitson
I suspect they've done it deliberately, to avoid having a malware link on
their site. With the link as given, a reader would have to consciously change
the 'x' for a 'p' to visit it, making it unlikely that anyone would do it
accidentally.

~~~
Zirro
That makes sense, and would also explain why they chose to put it in a
<textarea>, I suppose. Still, it feels as if the apparent intended audience
would be aware of the risks without them having to go through the trouble.

~~~
manys
Seems odd to quibble with being a thoughtful netizen.

------
Eduard
As used in this article, what does TDS mean?

~~~
hfsktr
The best acronym I was able to find (fits with the multiple redirects) is:
Traffic Distribution System.

