Malicious JavaScript code used to be contained in single .JS or .HTML files, which made malicious JavaScript analysis and detection pretty straightforward.
However, in the past few days, a couple of distinct Web compromises caught my attention because the codes involved used the multipart malicious JavaScript technique. In this technique, malicious JavaScript codes can be divided into multiple parts to make up different files.
In the example below, you can see the .HTML file linking to ap.js while the embedded JavaScript calls the function ac2().
The function ac2(), however, is not in the JavaScript embedded in the current .HTML file but is in the linked .JS file ap.js as shown below.
This technique is noteworthy because a malicious JavaScript code can be divided into several parts, each nonmalicious in nature, but will reveal its true nature only when its parts are correctly pieced together.
For security researchers and analysts, this means that analyzing .HTML and .JS files should not be limited to the actual files but should be done in the context of the website where the .HTML and .JS files were used.
The multipart malicious JavaScript technique is not brand new, we have seen it in malicious websites involved in exploiting the OCW ActiveX vulnerability. What is interesting to note, however, is that the use of the multipart technique seems to be increasing, as evidenced by the JavaScript codes found in relation to two distinct Web compromises. This only means the bad guys are realizing the potential of this technique to make analysis and detection a little bit more difficult.
Fortunately, Trend Micro™ Smart Protection Network™ detects the malicious JavaScript mentioned as Expl_ShellCodeSM. The malicious URLs hosting the said scripts are also blocked.
Hat tip to advanced threats researcher Lion Gu for initially bringing the malicious scripts to my attention
View full post on TrendLabs | Malware Blog – by Trend Micro
Related Posts
- Malicious PDFs utilizing Launch Action Now Seen in the WILD!
We all knew it was coming, so I doubt anyone is going to be shocked to learn that SophosLabs is reporting they have now seen the first instance of a malicious PDF file utilizing the Launch action. Pa... - Malicious Spam on the increase again
Malware distribution via email is far from dead. While we had a distinctly quiet period from October 2010 to March 2011, our stats show the bot herders are gearing up again with the proportion o... - Yahoo! PH Purple Hunt 2.0 Ad Compromised
Earlier the other day, I was browsing through the Yahoo! PH site and the Yahoo! Purple Hunt 2.0 ad caught my attention.Curious as I am, I clicked on the ad and surprisingly my browser downloaded a sus... - Facebook Events, Credits, and Passwords Being Used for Attacks
Facebook has expanded its range of service offerings, making the site so much more than a place where users can interact with one another. It has been said several times that Facebook is bound to repl... - Google Chrome-Protecting users from malicious downloads
Google has introduced a new feature for its Chrome browser that will display a warning if a user attempts to download a suspected malicious executable file.
The Chrome team are enhancing the impl... - ZeuS Source Code Already in the Wild
For about two weeks now, the ZeuS source code has been making its way around to different people. Many people have been offering it up for sale on multiple forums, but lots of times it is only pieces ... - Spotify application serves malicious ads
Today it was reported that Spotify, the popular streaming music service, displayed malicious ads to users of their Free version. The ads lead to websites that used the Blackhole Exploit Kit to infect ... - Malicious Spam Campaign Preys on Japanese Disaster
There is a large-scale malicious spam campaign going on currently. The spam comes in a few different types, one of which imitates a Twitter notification. The subjects of the spam varies, but sadly, ... - BSNL, Bangalore website yet another victim of malicious code injection
BSNL, Bangalore telecom district has become yet another victim of poor website security and has been infected with malicious JavaScript code. This time, the code points to a malicious domain used by t... - How To Speak Malicious
In this blog post, I want to cover a specific type of code obfuscation and then demonstrate how to manually, step-by-step deobfuscate the code. There are many automated tools and methods for performin...
Posted on 12 June 2010. Tags: Increased, JavaScripts, Malicious, MultiPart, Wild
国内でも類似事例ありますね。記事を書かねば… RT @TrendMicro Increased Use of MultiPart Malicious JavaScripts in the Wild http://blog.trendmicro.com/?p=25295
Increased Use of MultiPart Malicious JavaScripts in the Wild http://blog.trendmicro.com/?p=25295
[...] Increased Use of MultiPart Malicious JavaScripts in the Wild | Malware Blog | Trend Micro. [...]