Zscaler Blog

Get the latest Zscaler blog updates in your inbox

Subscribe
Security Research

Infected Javascript File

image
JULIEN SOBRIER
June 01, 2010 - 2 min read

When legitimate sites are hacked, attackers usually modify the existing HTML pages to add their own code (obfuscated Javascript or invisible IFRAMEs), or add new fake pages to the site. The additional code is commonly found after the </html> tag, before the <html> tag, or just after the <body> tag. Since most sites do not use Javascript obfuscation, these hijacking attempts are often not too hard to spot. Even if a site use Javascript obfuscation to hide e-mail addresses, these harmless pieces of code are much smaller than your typical malicious code, and often use just one escape statement.

We also occasionally see instances where static Javascript files are hijacked. These are often much harder to detect. We recently found the following malicious code appended to a static Javascript file on an Indian Telecom website:

 

Image
Obfuscated Javascript appended to legitimate code


With the help of Malzilla, I've analyzed the Javascript code. It attempts to download another Javascript file from gumblar.cn, a known malicious site.

 

 

 

 

 

 

 

 
 
 
Image
Deofuscation of one malicious function
 
Hijacking a static file is much harder than modifying a dynamic page. Many content management systems (Joomla, Drupal, etc.) and blogs (Wordpress, etc.) are hacked through an SQL injection, or through a privilege escalation, which gives attackers access to the templates or the SQL database used to generate the dynamic pages, but does not provide access to static files. An attacker must have greater access to the infected host, as given by a remote PHP file inclusion for example, or the ability to access any sensitive file in order to successfully perform this type of attack.
 
-- Julien
form submtited
Thank you for reading

Was this post useful?

dots pattern

Get the latest Zscaler blog updates in your inbox

By submitting the form, you are agreeing to our privacy policy.