SpiderLabs Blog

Beware! Bats hide in your jQuery!

Written by | Jan 20, 2014 9:39:00 AM

Injection of malicious code into JavaScript files is not new; however, we recently observed a steep increase in the use of this method, particularly in jQuery libraries, in order to redirect users to malicious web pages.


Why has injecting malicious code into jQuery become so trendy?

Looking at benign jQuery libraries tells the whole story–jQuery is a feature-rich JavaScript library that is commonly used in web applications. jQuery serves as an easy-to-use fast API that simplifies client-side development. In this case, speed and efficiency have higher priority than human readability, therefore jQuery includes only essential features to keep the code tight and focused by using minimal variable and function names, minimal use of spaces, no comments, etc.

An example of typical non-malicious jQuery code:

In addition, developers usually use jQuery libraries as a plug-and-play product, which doesn't require maintenance apart from library updates.

Because jQuery libraries are minified and infrequently reviewed by those using them, jQuery becomes a good place to hide malicious code. Such malicious code usually attempts to deliver malware to as many users as possible.

Here's an example that shows hidden malicious code in an infected variant of the jQuery library:

To give you some perspective of the scope of this trend, below is a snippet from the list of variants of the jQuery libraries that were injected with malicious code within the last 24 hours of us writing this post:

jquery.easing-sooper.js
jquery.fancybox.pack.js
jquery.fancybox-1.3.1.pack.js
jquery.fancybox-1.3.4.js
jquery.fancybox-1.3.4.pack.js
jquery.flexslider-min.js
jquery.fontSizer.js
jquery.form.js
jquery.hotkeys.min.js
jquery.hoverIntent.minified.js
jquery.infinitecarousel2_0_2.js
jquery.innerfade.js
jquery.jcarousel.js
jquery.jcarousel.min.js
jquery.jgrowl.js
jquery.prettyPhoto.js
jquery.quicksand.js
jquery.rating.js
jquery.reveal.js
jquery.serialScroll.js
jquery.sexyslider.min.js
jquery.simplyscroll.js
jquery.sliderkit.1.5.1.pack.js
jquery.slidertron-0.3.1.js
jquery.slidorion.js
jquery.smartbanner.js
jquery.socialshareprivacy.js
jquery.tabs.js
jquery.text.generator.js
jquery.thumbhover.js
jquery.timers-1.2.js
jquery.tools.min.js
jquery.tooltip.js
jquery.ui.core.js
jquery.ui.effect.min.js
jquery.ui.effect-explode.min.js
jquery.ui.effect-scale.min.js
jquery.ui.effect-squares.min.js
jquery.ui.potato.menu.js

While inspecting some of the infected libraries, we found several campaigns that chose the approach of fooling less tech-savvy users into installing fake software updates. This approach eliminates the "headache" associated with the "exploit kit approach," which is based on exploiting vulnerabilities in the environment of the users.

Here's a fake Adobe Flash Player update page coming from a malicious campaign injected into a jQuery library:

After a quick inspection of the downloaded malware, we saw that it was developed using AutoIt which is a scripting language designed for automating the Windows GUI. The key parts of this compiled AutoIt script are:

  1. Send the victim's IP address to the C&C.
  2. Download additional executable, "flashplayer2.exe"

Flashplayer2.exe opens a LISTENING port on the machine providing a remote control capability for the C&C.

We hear a lot about various techniques and vulnerabilities used to inject malicious code into webpages. Sometimes, for the attackers, the focus is not on how to get the code there, but how to hide it in order to keep it there for as long as possible. It seems that as of late injecting malicious code into jQuery is one of attackers' favorite methods for doing so.

Mitigations:

Make sure every piece of code in your web application is frequently reviewed/scanned, including scripts/libraries and plug-and-play product extensions. This can be achieved by using a file system monitoring tool that ensures no changes occur.

Enable automatic updates for every software or plugin you choose to use, rather than having your browser prompting you to install the updates. In addition, always verify your version with the product vendor's website –as for Adobe Flash Player you can use this link.

Trustwave's Secure Web Gateway engines blocks this attack out-of-the-box without any additional updates.