Hackers, Scammers Hide Malicious JavaScript On Web Sites

Websense security director says hackers using holes in IE, other software to attack with JavaScript


Hackers and scammers have suddenly turned to a new technique to hide malicious JavaScript on compromised or criminal sites, a security researcher said Thursday.

According to Dan Hubbard, the senior director of security and research at Websense, a family of obfuscation routines with the umbrella name of "JS/Wonka" has spread wildly in the last few weeks.

"For whatever reason, the number has just skyrocketed since the last of September," said Hubbard. "There are 10,000 unique sites using this exact same method. The strange thing is, they're completely different types of sites."

It's not uncommon to see hackers and scammers try to hide their malicious JavaScript code, said Hubbard. They want the code to be invisible to both Internet users and site operators. But the scale Websense is seeing is unprecedented.

For the most part, the JS/Wonka routines rely on converting characters to and from their respective Unicode values. JavaScript does those conversions automatically, so it's a small-footprint method that doesn't require much expertise on the part of the code writer.

Oftentimes the JavaScript code's hidden within an IFRAME that's been defined with zero values, making it invisible to the naked eye. Internet Explorer has several IFRAME vulnerabilities -- both patched bugs and flaws reported but not yet patched -- which the attackers leverage.

Attackers have sometimes created Byzantine paths between Web sites to further obscure their work, sending users from one site to another via IFRAME exploits and hidden JavaScript. Sites seen using the JS/Wonka routines include those that spoof search engine results, disable pop-up blockers, falsely claim that the PC is infected with spyware, and market spammed products such as fake pharmaceuticals, low-rate mortgages, pornography, and illegally-copied software.

Internet Explorer isn't the only browser vulnerable to JS/Wonka, however. Alternate browsers, including the popular Firefox, can be fooled with JavaScript tricks, too, and have been victimized by numerous JavaScript vulnerabilities in 2005.

"The interesting thing here is the sheer climb in volume of sites using these routines," said Hubbard. "It's either a toolkit or coordination between hackers. There's no public toolkit we've found, but there are banks of domain names using JS/Wonka that are registered to similar names."

About half of the more than 10,000 sites using JS/Wonka are either compromised or malicious Web sites attempting to stick malware or spyware on unsuspecting users' PCs, said Hubbard. The other half of the sites use the encoded, obfuscated JavaScript to display spoofed search results which link to sites selling products typically shilled through spam, or used by sites trying to hide their URLs from affiliate advertising vendors because those sites may be breaking contractual agreements.

Some Web advertising and/or adware firms, for instance, have blamed their wide-flung affiliates for secretly installing software, including some programs that verge on spyware, when they're accused by users and anti-spyware vendors for infecting PCs. Such affiliates may want to hide their URLs to make it harder for their partners to check up on their installation practices.

Three out of four of the sites found using JS/Wonka are hosted in the U.S., said Websense, another indication that either a group of scammers is working together, or that a obfuscation toolkit has just been made available, and hasn't had time to spread overseas.

The Websense alert, which includes samples of the JavaScript code -- useful for site operators, said Hubbard, since they can search for characters in the samples to see if their site is infected -- can be downloaded in PDF format from the San Diego-based firm's Web site.