
Show HN: ScriptObservatory.org – How much malicious JavaScript goes unnoticed? - andy112
https://scriptobservatory.org/
======
andy112
Hi all. This is a side-project I've been working on for a while now. From the
FAQs page:

Why is something like this a good idea?

JavaScript, iframes, and other embedded web content have the potential to
cause your browser to take unwanted and even harmful actions on your behalf,
however visibility into what you're running as you browse is very limited.
After-the-fact analysis of what you were sent is (in nearly all cases)
outright impossible.

If you have any thoughts or want a few interesting queries to get started, get
in touch. Feedback is welcome!

~~~
voltagex_
Can you help with any analysis of
[http://blog.voltagex.org/2015/10/07/malvertising-on-my-
stack...](http://blog.voltagex.org/2015/10/07/malvertising-on-my-
stackoverflow-its-more-likely-than-you-think/)?

Basically, a script started displaying really intrusive ads on StackOverflow,
initially only on my Nexus 5 - the only way to get rid of them was clearing
the cache. It did not happen over HTTPS. A commenter thinks it might be a
compromised Google Analytics script but this doesn't sound possible.

~~~
andy112
Hmm, that sounds strange.

If you were only able to reproduce it on a Nexus 5, I don't think analysis
with ScriptObservatory will be easy. I'd still suggest submitting the URLs to
be scanned by the robo-browser and then looking to see if what gets reported
looks similar to what you saw before.

Also, if you write a Yara rule that matches on some of the unique features in
the JS/iframes you saw, you could run a search through what's been seen. You
can use that to also be alerted when new matches are reported. If something
similar has been seen elsewhere, you might be able to tie it to a specific ad
network.

~~~
voltagex_
Looking at Yara rules - I won't have time today but a unique-ish string in the
script was

adsbyText:"ADS BY "+

including quotes.

~~~
andy112
Yep that looks like a good string to key off of.

The results for the site you mentioned are here -
[https://scriptobservatory.org/webpage/543677125f1bea8226ba7c...](https://scriptobservatory.org/webpage/543677125f1bea8226ba7c0578e4836332c97f48f56d23894c63b61725965959)
\- but I don't see anything that looks like a clear match.

~~~
voltagex_
Do you differentiate between http and https versions of sites?

~~~
andy112
Yes, the two are considered as if they were completely separate sites.

