Malicious JavaScript prepended to first line

Aug 9, 2010 08:42 GMT  ·  By

Security researchers warn that a new mass injection attack affecting websites hosted at Rackspace and Media Temple. The compromises result in rogue JavaScript code being added to legit .js files used by the affected websites.

The new attack was reported by Denis Sinegubko, the creator of the Unmask Parasites website scanner. "Right before this week-end I noticed an increased number of sites hosted on MediaTemple and RackSpace coming to Unmask Parasites with the same problem — their sites are blocked by Google and their diagnostic pages mention the following five domains: 'myads .name', 'adsnet .biz', 'toolbarcom .org', 'mybar .us', 'freead .name'," the Web security expert notes.

What's rather unusual about this attack is that the malicious code is not necessarily inserted into the .html files or .php scripts. In fact, this is hardly the case. Instead, the attackers add the rogue code to static .js files that already exist on the server.

Another noteworthy aspect of these injections is that the malicious JavaScript snippet is not added on new lines in the tainted files. It's actually prepended to the first line in the document, making automatic removal a bit harder, since removing the entire line would also break the legit code. According to Sinegubko, automatic cleaning scripts should not remove stuff after “this.O=58441;var gr0=0;”.

The rogue JavaScript first performs a check to see if the visitor is a search engine crawler or a real user. The malicious payload will not be served to search engine bots. Real visitors will also only be targeted once after which a cookie will be set in their browser preventing them from being attacked in the future. There's obviously no point in trying to re-infect a user that's already been infected or on who's computer the exploit failed.

The attackers serve the payload from multiple websites, most likely for redundancy and to make filtering harder. The rogue code will calculate a URL and load the malicious content from it. Sinegubko explains that there are 5 domains and 36 subdomain variations on each. That means 180 possible malicious URLs.

Websites hosted at both companies have been targeted in mass injections attacks before. However, their security staff haven't found any particular vulnerability being exploited or any security hole in their own infrastructure. The Unmask Parasites creator suggests that this might be related to overly generous file permissions. He suggests changing the permissions of static static content files like .js, which hardly even get modified to 444 or even 400, if the Web app doesn't need to change them either.

You can follow the editor on Twitter @lconstantin