Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    August 2014
    S M T W T F S
    « Jul    
     12
    3456789
    10111213141516
    17181920212223
    24252627282930
    31  
  • About Us

    Malicious JavaScript code used to be contained in single .JS or .HTML files, which made malicious JavaScript analysis and detection pretty straightforward.

    However, in the past few days, a couple of distinct Web compromises caught my attention because the codes involved used the multipart malicious JavaScript technique. In this technique, malicious JavaScript codes can be divided into multiple parts to make up different files.

    In the example below, you can see the .HTML file linking to ap.js while the embedded JavaScript calls the function ac2().

    Click for larger view

    The function ac2(), however, is not in the JavaScript embedded in the current .HTML file but is in the linked .JS file ap.js as shown below.

    Click for larger view

    This technique is noteworthy because a malicious JavaScript code can be divided into several parts, each nonmalicious in nature, but will reveal its true nature only when its parts are correctly pieced together.

    For security researchers and analysts, this means that analyzing .HTML and .JS files should not be limited to the actual files but should be done in the context of the website where the .HTML and .JS files were used.

    The multipart malicious JavaScript technique is not brand new, we have seen it in malicious websites involved in exploiting the OCW ActiveX vulnerability. What is interesting to note, however, is that the use of the multipart technique seems to be increasing, as evidenced by the JavaScript codes found in relation to two distinct Web compromises. This only means the bad guys are realizing the potential of this technique to make analysis and detection a little bit more difficult.

    Fortunately, Trend Micro™ Smart Protection Network™ detects the malicious JavaScript mentioned as Expl_ShellCodeSM. The malicious URLs hosting the said scripts are also blocked.

    Hat tip to advanced threats researcher Lion Gu for initially bringing the malicious scripts to my attention





    Share this article
    Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   del.icio.us   StumbleUpon






     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice