Hackers, Scammers Hide Malicious JavaScript On Web Sites

TechWeb News ^ | October 20, 2005 | Gregg Keizer

[Eagle9]

Hackers and scammers have suddenly turned to a new technique to hide malicious JavaScript on compromised or criminal sites, a security researcher said Thursday.

According to Dan Hubbard, the senior director of security and research at Websense, a family of obfuscation routines with the umbrella name of "JS/Wonka" has spread wildly in the last few weeks.

"For whatever reason, the number has just skyrocketed since the last of September," said Hubbard. "There are 10,000 unique sites using this exact same method. The strange thing is, they're completely different types of sites."

It's not uncommon to see hackers and scammers try to hide their malicious JavaScript code, said Hubbard. They want the code to be invisible to both Internet users and site operators. But the scale Websense is seeing is unprecedented.

For the most part, the JS/Wonka routines rely on converting characters to and from their respective Unicode values. JavaScript does those conversions automatically, so it's a small-footprint method that doesn't require much expertise on the part of the code writer.

Oftentimes the JavaScript code's hidden within an IFRAME that's been defined with zero values, making it invisible to the naked eye. Internet Explorer has several IFRAME vulnerabilities -- both patched bugs and flaws reported but not yet patched -- which the attackers leverage.

Attackers have sometimes created Byzantine paths between Web sites to further obscure their work, sending users from one site to another via IFRAME exploits and hidden JavaScript. Sites seen using the JS/Wonka routines include those that spoof search engine results, disable pop-up blockers, falsely claim that the PC is infected with spyware, and market spammed products such as fake pharmaceuticals, low-rate mortgages, pornography, and illegally-copied software.

Internet Explorer isn't the only browser vulnerable to JS/Wonka, however. Alternate browsers, including the popular Firefox, can be fooled with JavaScript tricks, too, and have been victimized by numerous JavaScript vulnerabilities in 2005.

"The interesting thing here is the sheer climb in volume of sites using these routines," said Hubbard. "It's either a toolkit or coordination between hackers. There's no public toolkit we've found, but there are banks of domain names using JS/Wonka that are registered to similar names."

About half of the more than 10,000 sites using JS/Wonka are either compromised or malicious Web sites attempting to stick malware or spyware on unsuspecting users' PCs, said Hubbard. The other half of the sites use the encoded, obfuscated JavaScript to display spoofed search results which link to sites selling products typically shilled through spam, or used by sites trying to hide their URLs from affiliate advertising vendors because those sites may be breaking contractual agreements.

Some Web advertising and/or adware firms, for instance, have blamed their wide-flung affiliates for secretly installing software, including some programs that verge on spyware, when they're accused by users and anti-spyware vendors for infecting PCs. Such affiliates may want to hide their URLs to make it harder for their partners to check up on their installation practices.

Three out of four of the sites found using JS/Wonka are hosted in the U.S., said Websense, another indication that either a group of scammers is working together, or that a obfuscation toolkit has just been made available, and hasn't had time to spread overseas.

The Websense alert, which includes samples of the JavaScript code -- useful for site operators, said Hubbard, since they can search for characters in the samples to see if their site is infected -- can be downloaded in PDF format from the San Diego-based firm's Web site.

[Eagle9]

The Websense PDF, referenced in the last paragraph, can be downloaded at the following link. On page 7 is an in-depth analysis of JS/Wonka.

http://www.websensesecuritylabs.com/resource/pdf/wslabs_wonka_analysis_oct05.pdf

[DannyTN]

Organized Spam

[DannyTN]

Organized Spam

[Bon mots]

Thanks!
You know, an Iframe exploit can work completely invisibly.

It can be done to display a graphic without scroll bars, or even better, just stick an iframe in a page with a size of 1 pixel by 1 pixel. Then through this invisible window, one may sneak all kinds of nasty code!

There are also exploits using the embed command, flash could be used embedded with a payload delivered unseen.

The base command could also be used for mischief.

[Avenger]

I just checked the example website used in the article and the nasty javascript code is still there. With javascript turned off I chased the tail all the way to the end (redirecting 4 to 5 times) and its all still there. You'd think that the webmaster for that site would have cleaned things up after having his site mentioned in this article.

[glorgau]

Three out of four of the sites found using JS/Wonka are hosted in the U.S.,

Once again, the USA leads in technical innovation! ;-)

But seriously, this is just another reason not to use IE. The ecommerce website that I run has seen IE usage drop off to under 50%.

[newsgatherer]

Thanks, good stuff.

[Gorzaloon]

But seriously, this is just another reason not to use IE. The ecommerce website that I run has seen IE usage drop off to under 50%.

Are you selling Apple hardware or some other self-selecting product?

This is from my commercial site, as of this minute:

---

Top 15 of 325 Total User Agents # Hits User Agent

1 5456 17.52% Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET

2 4628 14.86% Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

3 1591 5.11% Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1

4 1239 3.98% Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)

5 1086 3.49% Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.10) Ge

6 892 2.87% Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1 7 791 2.54% Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

8 631 2.03% Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.12) Ge

9 591 1.90% Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)

10 555 1.78% Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; MSN 9

11 519 1.67% Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.11) Ge

12 387 1.24% Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.8) Gec

13 374 1.20% Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Hotba

14 356 1.14% Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/

15 353 1.13% Mozilla/5.0 (Windows; U; Windows NT 5.1; fr-FR; rv:1.7.12) Ge

---

[proxy_user]

It doesn't matter what browser or operating system you use. JavaScript is standard, and all browsers are supposed to render it. This is all a browser exploit, and doesn't affect your machine at the OS level.

[TomGuy]

Warez sites are bad about having those trojans in their script ---- errrr, uhhh, so I've heard.....

[clyde asbury]

bump :)

[Senator Bedfellow]

I just ran some stats, and last month the hits broke down to 75% for all versions of IE - so far this month it's at 71%, but it's never been below 70% for any month over the last year.

[Senator Bedfellow]

Hits for the website *I* administer, not yours, I should make clear ;)

[Gorzaloon]

Hits for the website *I* administer, not yours, I should make clear ;)

Whew..that's a relief! :-)

[glorgau]

It doesn't matter what browser or operating system you use. JavaScript is standard, and all browsers are supposed to render it. This is all a browser exploit, and doesn't affect your machine at the OS level.

The exploit described in the paper boiled down to:

... attempt to exploit a Microsoft HTML URL Processing Vulnerability 
(vulnerability resolved by Microsoft Security Bulletin MS04-013). 
Vulnerable computers will retrieve a CHM file (disguised as a style sheet 
named “style.css”) which in turn drops a Trojan Horse called open.exe. 
Open.exe is a Trojan Downloader which uses HTTP to download yet 
another file which is a Trojan Backdoor (executable file girl.bmp)

so, it's yet another reason not to use IE on Windows. It can evidently be avoided by using the product advertised in the paper that described the vunerability, but as always caveat emptor.

[ShadowAce]

[Senator Bedfellow]

Made you nervous, eh? Although, now that you mention it, I notice some things in your logs....

:^)

[rit]

Thanks! I wish the browser providers would allow for per site jscript like they do cookies. For example, in Firefox I can specify to ask me each time a cookie is being set, and either allow/disallow the cookie. Browser providers should allow that for jscript as well.

[rit]

Thanks! I wish the browser providers would allow for per site jscript like they do cookies. For example, in Firefox I can specify to ask me each time a cookie is being set, and either allow/disallow the cookie. Browser providers should allow that for jscript as well.

[AmericaUnite]

I'm bookmarking this Thread for my Hubby. He'll understand what precautions I have to take better than I do. We keep away from IE as we are 'infected' with a site called 'WIN Fixer'. It acts like an advertisement, but it's nasty and never gets out of the way.