Daily cyber threats and internet security news: network security, online safety and latest security alerts
August 9th, 2010

New Mass Injection Attack Adds Rogue Code To JS Files, Rackspace And Media Temple Affected

Security researchers warn that a new mass injection attack affecting websites hosted at Rackspace and Media Temple. The compromises result in rogue JavaScript code being added to legit .js files used by the affected websites.

The new attack was reported by Denis Sinegubko, the creator of the Unmask Parasites website scanner. “Right before this week-end I noticed an increased number of sites hosted on MediaTemple and RackSpace coming to Unmask Parasites with the same problem — their sites are blocked by Google and their diagnostic pages mention the following five domains: ‘myads .name’, ‘adsnet .biz’, ‘toolbarcom .org’, ‘mybar .us’, ‘freead .name’,” the Web security expert notes.

What’s rather unusual about this attack is that the malicious code is not necessarily inserted into the .html files or .php scripts. In fact, this is hardly the case. Instead, the attackers add the rogue code to static .js files that already exist on the server.

Another noteworthy aspect of these injections is that the malicious JavaScript snippet is not added on new lines in the tainted files. It’s actually prepended to the first line in the document, making automatic removal a bit harder, since removing the entire line would also break the legit code. According to Sinegubko, automatic cleaning scripts should not remove stuff after “this.O=58441;var gr0=0;”.

The rogue JavaScript first performs a check to see if the visitor is a search engine crawler or a real user. The malicious payload will not be served to search engine bots. Real visitors will also only be targeted once after which a cookie will be set in their browser preventing them from being attacked in the future. There’s obviously no point in trying to re-infect a user that’s already been infected or on who’s computer the exploit failed.

The attackers serve the payload from multiple websites, most likely for redundancy and to make filtering harder. The rogue code will calculate a URL and load the malicious content from it. Sinegubko explains that there are 5 domains and 36 subdomain variations on each. That means 180 possible malicious URLs.

Websites hosted at both companies have been targeted in mass injections attacks before. However, their security staff haven’t found any particular vulnerability being exploited or any security hole in their own infrastructure. The Unmask Parasites creator suggests that this might be related to overly generous file permissions. He suggests changing the permissions of static static content files like .js, which hardly even get modified to 444 or even 400, if the Web app doesn’t need to change them either.

Credit: News

Share this item with others:

More on CyberInsecure:
  • Mass Injection At Media Temple Hosting Leads To Web Exploit Kit
  • Thousands Of Websites Distribute Scareware After Mass Injection Attack, BlueHost, DreamHost, Bizland, GoDaddy Affected
  • Mass SQL Injection Attack Infects Over 28,000 Pages, Including iTunes Podcast
  • WordPress Blogs Targeted By Polymorphic Injection Attack
  • Multiple TechCrunch Websites Compromised, Infect Visitors With Malware

  • If you found this information useful, consider linking to it from your own website.
    Just copy and paste the code below into your website (Ctrl+C to copy)
    It will look like this: New Mass Injection Attack Adds Rogue Code To JS Files, Rackspace And Media Temple Affected

    Leave a Reply

    Comments with unsolicited links to other resources will be marked as spam. DO NOT leave links in comments. Please leave your real email, it wont be published.

    To prove you’re a person (not a spam script), type the security word shown in the picture. Click on the picture to hear an audio file of the word.