Malicious JavaScript Infects Websites
- Thursday, December 31, 2009, 8:36
- Threat Research
Trend Micro threat analysts were alerted to the discovery of several compromised websites inserted with a JavaScript. The JavaScript is detected by Trend Micro as JS_AGENT.AOEQ. When executed, JS_AGENT.AOEQ uses a defer attribute, which enables it to delay executing its routine, that is, redirecting the user to several malicious websites. This is done so users will not suspect that they are already infected. In addition, this malicious JS is hosted on PHP servers. If a user visits an infected website, it will display a white screen. On the other hand, viewing the source code will yield the following obfuscated code:
 |
 |
Upon analysis, it was observed that the code (found on most infected sites) begins with /*GNUGPL*/try{window.onload=function(){var or /*CODE1*/ try{window.onload = function(){va.
According to the Unmask Parasites blog, the cybercriminals behind this attack incorporated certain legitimate sites’ names such as Google, Bing, and WordPress, among others, in their code to appear as a legitimate URL.
Trend Micro Smart Protection Network secures users from this attack by blocking all related malicious domains to prevent user access and, consequently, malware infection. It is, however, advisable for users to keep their systems up-to-date and for Web administrators to change their FTP credentials.
Post from: TrendLabs | Malware Blog – by Trend Micro
Malicious JavaScript Infects Websites
About the Author: