So What’s the Scenario?!?
In retrospect, it’s very simple. Append the payload to the file, hence adding junk to the trunk, similar in concept to what we are seeing with the Apache modules, but leveraging .htaccess.
This is how they are doing it:
They have a payload on the server that is anything but the normal files you’d expect, i.e., HTML, JS, PHP, CSS, etc.., in this scenario it was a ShockWaveFile (.swf):
You then auto_append that rogue file to all JS files, oh which by the way, you treat as PHP:
<files ~ "\.js$"> SetHandler application/x-httpd-php php_value auto_prepend_file [path to your rogue file] php_flag display_errors Off </files>
Keeping it Simple
I wouldn’t place too much thought into that, let’s keep the drama low folks. I don’t think it’s for any reason other than different breeds of attackers. Some groups are more particular to one platform over another and as they come up with tactics it spreads, at some point it jumps the fence and it’ll only be a matter of time before other platforms start seeing similar attack patterns.
Don’t Forget About Cache!!