Friday, June 4, 2010

Third-party JavaScript widget discovered to be infected with malware

Potentially thousands of legitimate websites that embed the widget are serving malware to their users.

Many websites use third-party JavaScript widgets for counting traffic, tracking users, sharing content, displaying video, enabling polls, and providing other user functionality. The use of third-party widgets has enabled rich user functionality and analytics. However, as noted by Jeremiah Grossman in his blog post "Web 2.0 pivot attacks", in a security context, websites that use third-party widgets "essentially allow arbitrary executable code, supplied by a third party, complete access to the web page DOM and the user’s session information." This could, of course, be used to infect the website’s users with malware. Tom Stripling also discusses the dangers of third-party JavaScript widgets, as well as user contributed content.

In a research paper published by Google titled “The Ghost in the Browser,” researchers claimed that third-party widgets were one of the primary vectors of attack for a website to get infected with malware.

We identified a free statistics counter that operated fine for almost four years, “when the nature of the counter changed and instead of cataloging the number of visitors, it started to exploit every user visiting pages linked to the counter… In this particular case, the user visited a completely unrelated web site that was hosting a third-party web counter. The web counter was benign for over four years and then drastically changed behavior to exploit any user visiting the site. This clearly demonstrates that any delegation of web content should only happen when the third party can be trusted.”

Just this past weekend, the Dasient security research team identified a third-party JavaScript widget that was responsible for infecting web users at a large Quantcast 100 website. The third-party widget in question was from a reputable market research and analytics firm, and the widget was used for traffic analysis and audience demographics. (Our team has been in contact with the Quantcast 100 website, and is also reaching out to the widget provider in order to help resolve this problem.)

This third-party JavaScript code was included among a number of other tracking tags present on several thousand URLs of the Quantcast 100 website. The JavaScript code (after being anonymized) is as follows:


// xxxxxx tagging
XXXX.require('//secure-us.xxxxxxxxxxxx.com/xxx.js', function () {
var trac = nol_t({
cid: 'xx-xxxxxxx',
content: '0',
server: 'secure-us'
});
trac.record().post();
});


In turn, http://secure-us.xxxxxxxxxxxx.com/xxx.js served the following complicated JavaScript code:


function NolTracker(b,a){this.pvar=b;this.mergeFeatures(a)}function nol_t(b,a){return new NolTracker(b,a)}NolTracker.prototype.version="6.0.9";NolTracker.prototype.scriptName=(function(){try{var b=document.getElementsByTagName("script");var c=b[b.length-1].getAttribute("src").match(/[^\/]*$/)}catch(a){}return c||"xxx.js"})...


At the end of the complex JavaScript was a malicious iframe sourcing in content from:
http://94. 75. 210. 6/measure/

What is notable about the attack above is that the JavaScript code is so complex, it would be difficult for even a technical person to parse the code quickly and identify the malicious iframe at the end. Furthermore, the attackers have used the pathname "measure" on the malicious domain in an effort to further obfuscate their attack. As a result, a technical person who was investigating the cause of the malware might not pay attention to the iframe; he or she could easily assume that this was part of the legitimate JavaScript code that was measuring user traffic on the website.

The attackers compromised this third-party analytics provider's JavaScript code and embedded the malicious iframe. A quick search on Google for the JavaScript code showed over 19,000 results of websites which contained this provider's analytics code. Thus, the attackers were able to stripe their web-based malware over thousands and thousands of legitimate websites (including multiple Quantcast 100 websites) by infecting the third-party analytics provider's JavaScript code with the malicious iframe.

There is a significant implication for web businesses. The "widgetization" of the web will continue to create opportunities such as the one detailed in this post for attackers to infect legitimate websites with malware. Any third-party code included in a legitimate website can be compromised and exploited to serve malware. In fact, the attackers have an incentive to infect these JavaScript widgets as a way to achieve scale and get "back door access" to popular websites. The concern for web businesses is that, despite all of the security operations and software development practices that they may have in place, there are dependencies on third-parties for rendering functionality on web pages on their site. And a particular web business has no control over the security practices of the third-party partner, which can get compromised, as was evident from the attack described above.

It is unrealistic to believe that web businesses will be able to remove all third-party software and JavaScript code from their websites. The "widgetization" of the web will only accelerate, as the trend towards distributed software development, interactivity, and combining best-of-breed software and widgets continues. Despite a web business having significant preventative security measures in place, its website is vulnerable to serving malware due to the use of third-party JavaScript widgets. Therefore, it is critical that web businesses monitor their websites (and thus their third-party JavaScript widget providers) for malware on a regular basis. An attack where a reputable partner gets compromised and infected with malware could happen any time, and it is important that the web business can respond immediately if such an attack occurs. Otherwise, the web business is at risk of serving malware to its users, which would result in users getting infected with malware; significant losses of brand, reputation, and revenue; and potential liability issues. Companies can use Dasient's Web Anti-Malware (WAM) monitoring service to defend their websites against the prospect of third-party widgets getting infected with malware.

67 comments:

  1. Great article about a massively underrated risk. But it occurs to me that this is less likely and less damaging than malicious libraries on the server side-which is probably even more ubiquitous than this problem. The malicious library is easier to obscure and far more difficult to detect. But more importantly, the damage is complete application takeover-and perhaps takeover of the host and other backend systems. Yet virtually nobody looks at libraries.

    ReplyDelete
    Replies
    1. I would never recommend someone to use any third party Java or any other plugin to your website. Third party tools always biggest risk factor, i been hacked on WordPress and my best guess is because of plugins.

      Thanks anyway
      Online Appointment App For Free

      Delete
  2. Very Good! These are wonderful! Thank you for sharing!
    my Blogs: cityville cheats | how to get taller

    ReplyDelete
  3. check my blog out everyone say everyone say wat you think :)

    ReplyDelete
    Replies
    1. I Like your blog,will sharing this with my friends, excellent work.
      business phone deals

      Delete
  4. http://www.highprbacklinks.co.in

    The attackers compromised this third-party analytics provider's JavaScript code and embedded the malicious iframe. A quick search on Google for the JavaScript code showed over 19,000 results of websites which contained this provider's analytics code.

    ReplyDelete
    Replies
    1. ikuti terus perkembangan ini sebab jika anda berhasil maka bisa mendapatkan bonus moorlife, sekarang ini produk moorlife telah banyak di pasangan dan kami bersedia menjadi agen moorlife yang melayani pembelian wadah makan plastik daerah jawa dan sekitarnya. jangan lupa update terus kabar terbaru mengenai informasi dunia teknologi di katokpe yang memberikan berbagai isu tentang ponsel dan juga situs laviozaz yang tetap mengupdate informasi perkembangan teknologi di dunia. jika kamu mau download film movie anime sub indonesia, bisa download di blog ini lengkap beserta subtitle, sangat cocok pula dimainkan di ponsel sebab ukurannya kecil mp4 dan 3gp yang disediakan. lalu kalau mau main yang lebih seru, silakan saja main judi bola online dengan mendaftar di jagobetting. situs ini menyediakan permainan menarik seputar taruhan bola deposit murah dan sangat terpercaya, sebagai bandar agen sbobet yang terlengkap. anda kunjungi web ini saja yang berisi prediksi bola dan juga siap menerima pembuatan id games untuk taruhan judi bola online indonesia.

      Delete
  5. Hello I must say for this well prepared information.I am now bookmarking this website for future reference.Keep up the good work. agen judi bola online, ibcbet indonesia, 338a royal casino

    ReplyDelete
  6. Then Document prodded the dog once. "Do men of all ages want to utilize big, tight-fitting, extravagant tuxedos " The person reckoned in a few moments and reacted basically no. check out my site

    ReplyDelete
  7. This information provides a great help to overcome the problems face by malware. Students buy essay online UK because they have insufficient knowledge.

    ReplyDelete
  8. Contractors and other participants need to create time dedication to be present at the Show and do their preparation in advance so they know who they want to see and what they want to talk about. TUBE

    ReplyDelete
  9. But Little wasn’t even near to completed securing horns with LG&E. Actually, she was getting ready to take on other coal-burning causes, as well, journeying outside of Louisville to help areas experiencing similar situations. to enjoy live webcam services with shemale click here

    ReplyDelete
  10. One specialist informed me that while in business university he took part in SkillsUSA Nationwide Management and Abilities Competition, successful first place in a couple competitions. venus factor reviews

    ReplyDelete
  11. Congratulations Neil, Ameet, Dasient team! Outstanding product and service in the web security space. www.babyscream.com

    ReplyDelete
  12. If you need some item or set up details, it is often much much better to find your solutions on the internet than to contact. venus factor weight loss

    ReplyDelete
  13. Thus purchasing lengthy lasting ties is only inflationary if the industry requires it as a indication that the Fed is getting serious about enhancing rising prices eventually. Google

    ReplyDelete
  14. I'm going to subscribe to this blog because it's very interesting. Friv | Kizi 1 | Y4

    ReplyDelete
  15. Shameless connect here — don’t skip the Fab Five as they existing “The Technological Town Hall” at AHR Jan 28 at 1:00 p.m.I lately taken up with Indicate Halligan, CEO of H+A Worldwide, Chicago, illinois, il, about the very subject of organization events. Indicate has a success of experience with preparing organization events and he has hand to create AHR the effective display that it is nowadays. joey atlas' naked beauty symulast method

    ReplyDelete
  16. Often it is the surprising lack of way of life of someone near that provides this home; and then the frequency of hospital visits and memorials progressively starts to select up amount, like a drumbeat in the woodlands. old school new body forum

    ReplyDelete
  17. Great buy for the price! I received the item in a day or so and I was able to complete a photo project I had been working on! It also shuts the feeding ports when they put enough weight on the ring. old school new body pdf free download

    ReplyDelete
  18. He approved NAFTA and GATT, redeveloped the govt, and decreased well being.
    check this site out

    ReplyDelete
  19. The presentation of skills certainly shows more excellent work. I appreciate the significant posting the most excellent thought. This topic posted by you is trustworthy. 
    Assignment help UK

    ReplyDelete
  20. Thanks for your insights, John. Glad to hear that you’re crushing it with YouTube SEO (even without any views and likes). It looks like it’s all about backlinks for videos too. ibcbet online, taruhan bola terbesar

    ReplyDelete
  21. Their observe e-mail to you will regularly include an encourages to publish more material to their guide. address

    ReplyDelete
  22. As we age this careful system changes. Moreover to monitoring moment-to-moment threats such as an beginning car or a decrease banister, our threat verifying starts to intuit a distant but progressively approaching dark thinking — the approaching end, the biggest boundary. review for the venus factor

    ReplyDelete
  23. However, they have a six percent commission that will eat up what little equity you may have in your home. If you don't have any equity, you will be responsible for their fee. We Buy Any House

    ReplyDelete
  24. Don't use a residence broker to offer your residence. residence brokers will continue to perform to offer your home fast. Saran Wrap Weight Loss

    ReplyDelete
  25. If the brand contains phthalates it should be prevented. Phthalates are dangerous substances produced from some plastic materials. Be sure to remove these toys and games from your purchasing. read the article

    ReplyDelete
  26. Moreover to monitoring moment-to-moment threats such as an beginning car or a decrease banister, our threat verifying starts to intuit a distant but progressively approaching dark thinking — the approaching end, the biggest boundary. nitro shred

    ReplyDelete
  27. However in the event that your task is essay writing service reallyprofessionalessays.com for correspondence purposes, have a generally created structure that is intelligible to the message.

    ReplyDelete
  28. I really like the idea of yours as it is among the best known part here to be honest this will help us in getting few things right,assignment online by assignment consultant|

    ReplyDelete
  29. Seriously, i like what you write, thanks si much.. buat blog and many more about something ypu like membuat twitter and tema facebook

    ReplyDelete
  30. all what you presented here and I've read that it is good for my work everything makes me happy,thanks.
    Frive | Firv | Frif |Fvri

    ReplyDelete
  31. Me too I already experienced that, that's why I never trust any 3rd party script again, I better have to hard code it than to trust 3rd party script. where to buy twitter re tweets

    ReplyDelete
  32. thank you so much for the information you present very useful, thank for share
    ----
    juegoskizi | juegos kizi

    ReplyDelete
  33. The aim of a sports game is always to advance the particular ball and also score points in to the other clubs end zoom. The football may be advanced simply by throwing it to a new player which is known as a passing enjoy or having it which is known as a running enjoy. www.scorespro.com

    ReplyDelete
  34. Thank you for making the honest effort to discuss this. I feel very strong about it and want to learn more. It could be extremely useful and helpful for me and my friends.
    Juegos Friv |
    Yepi 4 |
    Yepi 1

    ReplyDelete
  35. Malware is a virus and it effects on websites, there are many IT firms who are offering IT services and these firms hire only educated people if you have acquired years of experience register yourself in online programs and attain an online life experience degreeon the basis of your IT experience.

    ReplyDelete
  36. This is a great article. It gave me a lot of useful information. thank you very much.
    Friv 7
    Yepi 10
    Frive

    ReplyDelete
  37. I like the whole idea here totally a nice and the best one love to read the whole sequences here. Essay writers||

    ReplyDelete
  38. I like the things here that you are doing the things right I must say you are doing right.write my assignment for me|

    ReplyDelete
  39. Very interesting, I've spent a lot of time to read and think about it, thanks for your ideas.

    Firv
    Friv 1
    Yepi

    ReplyDelete
  40. A very interesting and well written blog...I enjoyed it very much and it peaks my interest...
    Assignment writing service

    ReplyDelete
  41. I was really impressed. This is really interesting topic, I'll write a paper on it or probably I'll just buy essay . Thank you very much!
    WP She’s Viral Pro |
    Kizi 2015 |
    Juegos 2015

    ReplyDelete
  42. I would like to thank you for your nicely written post
    Signature:
    i like play games
    juegos de frozen
    juegos frozen
    frozen

    ReplyDelete
  43. Mesin fotocopy menjadi barang yang sangat dicari di tahun ini, banyak orang memerlukan mesin ini sebagai alat untuk mempermudah pekerjaan dalam menggandakan file pekerjaan, baca selebihnya disini untuk update harga mesin fotocopy canon dan xerox. selain mesin fotocopy, perkakas lain yang sangat dibutuhkan di dalam bidang usaha ialah mesin bubut, terutama mereka yang ada di dalam bisnis furniture pasti membutuhkan mesin pemotong ini, harga terbarunya bisa dipantau disini dan kami juga menawarkan berbagai harga murah untuk mesin penghancur tersebut. Untuk orang yang selalu update dengan modis busana, perlu sebuah aksesoris tangan seperti arloji, di website kami telah menjual ratusan kam tangan murah dan keren di seluruh pelosok nusantara, sebagai agen resmi jam tangan murah, kami juga menyediakan reseller bagi anda yang berminat dalam bisnis ini. bisnis lain yang menjanjikan adalah dengan menjual obat untuk kesehatan herbal terutama bagi penderita diabetes, penyakit ini bisa disembuhkan dengan cepat dengan membaca artikel berikut yang berisi trik diet sehat serta penanggulangan diabetes melitus seseorang. seseorang yang sakit pasti membutuhkan banyak istirahat terutama mereka yang tidak dalam kondisi bagus selesai kuliah, materi akuntansi selanjutnya ada pada blog kami yang share semua tentang makalah mengenai pelajaran ekonomi untuk mahasiswa baru tersebut. anda juga bisa membaca tutorial dan tips trik mengenai youtube dan facebook di situs kami yang lain dan kini telah mengupdate terus informasi tentang dunia teknologi serta membagikan trik ampuh untuk mengikutinya.

    ReplyDelete
  44. Thank you for sharing valuable information. Nice post. I enjoyed reading this post.
    Signature:
    Versión en facebook en español descargar a los países hablan Español: facebook entrar direto agora , facebook en español para and facebook entrar direto

    ReplyDelete
  45. Its really good information, i like your blog post. Thanks for sharing
    Signature:
    The place to play all unblocked games online. Here you can find every blocked games such as: unblockedgames , unblocked games happy , unblocked games 77 ,

    ReplyDelete
  46. Thanks for providing such useful information. I really appreciate your professional approach.
    Best organic seo service

    ReplyDelete
  47. I enjoy a couple of from the articles which have been written, and particularly the comments posted! I will definitely be visiting again!
    Cost effective web designing

    ReplyDelete
  48. Thanks for sharing your info. I really appreciate your efforts and I will be waiting for your further write
    Signature:
    facebook entrar iniciar sesion gratis - Sitio Oficial iniciado sesión en Facebook lengua española. facebook entrar rápido, facebook iniciar sesion en tu cuenta de entrar facebook

    ReplyDelete
  49. great article, I was very impressed about it, wish you would have stayed next share
    Signature:
    download baixar facebook movel, Facebook movel, baixar facebook movel. Facebook chat, baixar whatsapp gratis, fazer o download baixar whatsapp para Android, iPhone. Últimas Facebook

    ReplyDelete
  50. Agen Bola Sbobet is legal, the trusted online betting company and attracts a lot of patrons, and there are numerous of games offers at online slots, and you will find t game which Sbobet Asia very famous on online betting option to bet.

    ReplyDelete
  51. This informative article will help those who read and Thanks for sharing this great info with everyone.
    google seo company

    ReplyDelete
  52. Hi This is exactly what I was looking for. Thanks for sharing this great Information That is very interesting smile I love reading and I am always searching for informative information like this You are bookmarked
    West Palm Beach Orthodontist

    ReplyDelete
  53. Hello, an amazing Information dude. Thanks for sharing this nice information with us.
    boynton beach orthodontist

    ReplyDelete
  54. Hey great stuff, thank you for sharing this useful information and i will let know my friends as well.
    royal palm beach orthodontist

    ReplyDelete
  55. It is a bad news!!!! I think they must be more cautious! But everythink can hapens! So, I want to advice the best way in education! If you are deligant student but writing is not for you, I want to recomment the best way in this setuation! It is paper writing services save your home task for all topic and you will take a goos mark!

    ReplyDelete
  56. Now you can buy research papers online and save your time and money)

    ReplyDelete
  57. That was really effective blog for me thanks for sharing.
    Hostgator discount coupon

    ReplyDelete