jQuery team’s investigation found no trace of compromise

Sep 24, 2014 07:51 GMT  ·  By

Visitors of jQuery.com became targets of a drive-by download attack on September 18, the RIG exploit kit being pushed onto their systems, which would drop malware designed to steal usernames and passwords, RiskIQ security company warns.

The RIG exploit kit was discovered this year in April and has been used by cybercriminals on popular websites; it is typically used to download banking Trojans and other types of info-stealers.

jQuery is a JavaScript library used for developing numerous websites with dynamic content, and developers within companies rely on it extensively; almost 70% of the top 10,000 websites in the world use it, according to the statistics from jQuery.

Malicious redirector hosted in Russia, jQuery library not affected

After detecting that a malicious script added an invisible iframe to jQuery.com, RiskIQ started an investigation and determined that the users were redirected to a domain registered on the day of the attack, September 18.

The company found that the domain redirecting to RIG was hosted in Russia and it was still working on Tuesday.

The investigation of the security researchers revealed that the library itself was not affected in any way. “However, discovering information-stealing malware on jQuery.com is particularly disconcerting because of the demographic of jQuery users. jQuery users are generally IT Systems Administrators and Web Developers, including a large contingent who work within enterprises,” said James Pleger of RiskIQ in a blog post.

Generally, this type of users have privileged access to backend systems and critical web infrastructures, which would make a compromise all the more damaging, allowing a potential attacker access to sensitive areas of the targeted enterprise.

Worth noting is that the security firm could not replicate the script injection on the website upon subsequent requests.

Internal investigation finds no evidence of a threat

Following the notification from RiskIQ, the jQuery team looked into the matter to learn what parts of the website had been affected by the exploit kit. However, they were unable to confirm the compromise from server logs and detected no trace of the RIG exploit kit.

“So far the investigation has been unable to reproduce or confirm that our servers were compromised. We have not been notified by any other security firm or users of jquery.com confirming a compromise. Normally, when we have issues with jQuery infrastructure, we hear reports within minutes on Twitter, via IRC, etc.,” Ralph Whitbeck said on Tuesday.

Although no evidence of compromise was found, jQuery team took the proper steps to ensure that their machines were secure and clean.

The recommendation from the security company for those who visited the website on September 18 is to re-image their systems, reset passwords and check for any suspicious activity initiated from the machine suspected to have been compromised.