Threat Management, Incident Response, TDR

Attack injects malicious JavaScript into e-commerce sites

A "massive attack" related to the November break-in of an internet hosting company has injected malicious JavaScript code into several hundred e-commerce websites, particularly in the United Kingdom, according to Trend Micro.

The JavaScript code takes advantage of several vulnerabilities to infiltrate an unsuspecting user's system, according to a
blog post by TrendLabs' Carolyn Guevarra. These include the AOL SB.SuperBuddy.1 ActiveX control remote code execution vulnerability, an Apple QuickTime file-handling remote command injection vulnerability, and a memory corruption within Microsoft's Internet Explorer web browser.


A significant number of servers at six or seven large internet website hosting facilities have been compromised in this attack, Paul Ferguson, an advanced threat researcher with Trend Micro, told Because each of these servers hosts multiple web domains, "We don't know the scope of how many pages or domains have been compromised," he said.


The injected JavaScript is what Ferguson calls "obfuscated" code because "you can't just look inside it and determine what sort of maliciousness it's up to." The JavaScript generates a random file name, which "brings difficulty in searching for more compromised pages," Guevarra said in her post. "Add to that the fact that [the] JavaScript is hosted in the compromised domain itself."


The malicious JavaScript "routine is unlike other compromises where websites are usually injected with either a malicious iFrame link or hosting a JavaScript in other domains usually created and registered solely to host the malicious code or payload for these types of threats," she added.


Trend Micro's security researchers are still baffled by this event, she said in the blog. Trend Micro said it has identified more than 300 small e-commerce that have been injected with malicious JavaScript code.


"Users infected with this malicious JavaScript ultimately download a malicious .MOV file and trojan programs onto their computers," Guevarra added. "Trend Micro detects the malicious JavaScript as JS_IESLICE.AQ and the malicious .MOV file as a variant of XML_HACK. The downloaded trojan programs are detected as TROJ_DROPPER.NH and TROJ_AGENT.HJS."

"Motivation behind cyber attacks nowadays is always driven by money," Guevarra said in her posting. "This is just a first in a long series of e-commerce-related invasions that will occur in 2008, if companies and users don't take extra measures in securing their online businesses.

"Keep your software updated and be extra vigilant in doing business online," she warned.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.