Infected Javascript file

When legitimate sites are hacked, attackers usually modify the existing HTML pages to add their own code (obfuscated Javascript or invisible IFRAMEs), or add new fake pages to the site. The additional code is commonly found after the </html> tag, before the <html> tag, or just after the <body> tag. Since most sites do not use Javascript obfuscation, these hijacking attempts are often not too hard to spot. Even if a site use Javascript obfuscation to hide e-mail addresses, these harmless pieces of code are much smaller than your typical malicious code, and often use just one escape statement.

We also occasionally see instances where static Javascript files are hijacked. These are often much harder to detect. We recently found the following malicious code appended to a static Javascript file on an Indian Telecom website:

Obfuscated Javascript appended to legitimate code

With the help of Malzilla, I've analyzed the Javascript code. It attempts to download another Javascript file from gumblar.cn, a known malicious site.

Deofuscation of one malicious function

Hijacking a static file is much harder than modifying a dynamic page. Many content management systems (Joomla, Drupal, etc.) and blogs (Wordpress, etc.) are hacked through an SQL injection, or through a privilege escalation, which gives attackers access to the templates or the SQL database used to generate the dynamic pages, but does not provide access to static files. An attacker must have greater access to the infected host, as given by a remote PHP file inclusion for example, or the ability to access any sensitive file in order to successfully perform this type of attack.

-- Julien