Hackers, Scammers Hide Malicious JavaScript On Web Sites

TechWeb News ^ | October 20, 2005 | Gregg Keizer

[Eagle9]

The Websense PDF, referenced in the last paragraph, can be downloaded at the following link. On page 7 is an in-depth analysis of JS/Wonka.

http://www.websensesecuritylabs.com/resource/pdf/wslabs_wonka_analysis_oct05.pdf

[DannyTN]

Organized Spam

[DannyTN]

Organized Spam

[Bon mots]

Thanks!
You know, an Iframe exploit can work completely invisibly.

It can be done to display a graphic without scroll bars, or even better, just stick an iframe in a page with a size of 1 pixel by 1 pixel. Then through this invisible window, one may sneak all kinds of nasty code!

There are also exploits using the embed command, flash could be used embedded with a payload delivered unseen.

The base command could also be used for mischief.

[Avenger]

I just checked the example website used in the article and the nasty javascript code is still there. With javascript turned off I chased the tail all the way to the end (redirecting 4 to 5 times) and its all still there. You'd think that the webmaster for that site would have cleaned things up after having his site mentioned in this article.

[glorgau]

Three out of four of the sites found using JS/Wonka are hosted in the U.S.,

Once again, the USA leads in technical innovation! ;-)

But seriously, this is just another reason not to use IE. The ecommerce website that I run has seen IE usage drop off to under 50%.

[newsgatherer]

Thanks, good stuff.

[Gorzaloon]

But seriously, this is just another reason not to use IE. The ecommerce website that I run has seen IE usage drop off to under 50%.

Are you selling Apple hardware or some other self-selecting product?

This is from my commercial site, as of this minute:

---

Top 15 of 325 Total User Agents # Hits User Agent

1 5456 17.52% Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET

2 4628 14.86% Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

3 1591 5.11% Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 1

4 1239 3.98% Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)

5 1086 3.49% Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.10) Ge

6 892 2.87% Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1 7 791 2.54% Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

8 631 2.03% Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.12) Ge

9 591 1.90% Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)

10 555 1.78% Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; MSN 9

11 519 1.67% Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.11) Ge

12 387 1.24% Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.8) Gec

13 374 1.20% Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; Hotba

14 356 1.14% Mozilla/5.0 (compatible; Yahoo! Slurp; http://help.yahoo.com/

15 353 1.13% Mozilla/5.0 (Windows; U; Windows NT 5.1; fr-FR; rv:1.7.12) Ge

---

[proxy_user]

It doesn't matter what browser or operating system you use. JavaScript is standard, and all browsers are supposed to render it. This is all a browser exploit, and doesn't affect your machine at the OS level.

[TomGuy]

Warez sites are bad about having those trojans in their script ---- errrr, uhhh, so I've heard.....

[clyde asbury]

bump :)

[Senator Bedfellow]

I just ran some stats, and last month the hits broke down to 75% for all versions of IE - so far this month it's at 71%, but it's never been below 70% for any month over the last year.

[Senator Bedfellow]

Hits for the website *I* administer, not yours, I should make clear ;)

[Gorzaloon]

Hits for the website *I* administer, not yours, I should make clear ;)

Whew..that's a relief! :-)

[glorgau]

It doesn't matter what browser or operating system you use. JavaScript is standard, and all browsers are supposed to render it. This is all a browser exploit, and doesn't affect your machine at the OS level.

The exploit described in the paper boiled down to:

... attempt to exploit a Microsoft HTML URL Processing Vulnerability 
(vulnerability resolved by Microsoft Security Bulletin MS04-013). 
Vulnerable computers will retrieve a CHM file (disguised as a style sheet 
named “style.css”) which in turn drops a Trojan Horse called open.exe. 
Open.exe is a Trojan Downloader which uses HTTP to download yet 
another file which is a Trojan Backdoor (executable file girl.bmp)

so, it's yet another reason not to use IE on Windows. It can evidently be avoided by using the product advertised in the paper that described the vunerability, but as always caveat emptor.

[ShadowAce]

[Senator Bedfellow]

Made you nervous, eh? Although, now that you mention it, I notice some things in your logs....

:^)

[rit]

Thanks! I wish the browser providers would allow for per site jscript like they do cookies. For example, in Firefox I can specify to ask me each time a cookie is being set, and either allow/disallow the cookie. Browser providers should allow that for jscript as well.

[rit]

Thanks! I wish the browser providers would allow for per site jscript like they do cookies. For example, in Firefox I can specify to ask me each time a cookie is being set, and either allow/disallow the cookie. Browser providers should allow that for jscript as well.

[AmericaUnite]

I'm bookmarking this Thread for my Hubby. He'll understand what precautions I have to take better than I do. We keep away from IE as we are 'infected' with a site called 'WIN Fixer'. It acts like an advertisement, but it's nasty and never gets out of the way.