Free Knowledge Database

Computer Knowledge Community

September 24, 2014 IT News

Query.com compromised to serve malware via drive-by download

Update, update and update again so you can less the chance of being hacked, being attacked. Keeping learning, never stop. As for Java-based stuff, again, here, remove it for security if you just do not have to need it to operate your own stuff, operating system, server and the likes. Or, switch Java and use other better solutions.

jQuery.com, the official website of the popular cross-platform JavaScript library of the same name, had been compromised and had been redirecting visitors to a website hosting the RIG exploit kit and, ultimately, delivering information-stealing malware.

While any website compromise is dangerous for users, this one is particularly disconcerting because of the demographic of its users, says James Pleger, Director of Research at RiskIQ.

“The jQuery library is a very popular toolkit for developing websites with dynamic content and is widely used by developers within enterprises. jQuery users are generally IT Systems Administrators and Web Developers, including a large contingent who work within enterprises,” he pointed out.

“Typically, these individuals have privileged access to web properties, backend systems and other critical infrastructure. Planting malware capable of stealing credentials on devices owned by privilege accounts holders inside companies could allow attackers to silently compromise enterprise systems, similar to what happened in the infamous Target breach.”

The attack was first detected on September 18, and given that the malicious redirector was hosted on a domain (jquery-cdn.com) that was registered on the same day, it’s more than likely that that was the day when the attack actually started.

RiskIQ researchers have immediately notified the jQuery Foundation about the compromise, and reported that “the site’s administrators were addressing the issue.”

Users who have visited the site on or around September 18 are advised to check whether they have been compromised by the malware. The researchers recommend immediately re-imaging of the system, resetting passwords for user accounts that have been used on it, and checking whether suspicious activity has originated from it (data exfiltration, etc.).

The good news is that there is no indication that the jQuery library itself has been affected.

UPDATE, 23 September, 10:11 PM CET Kris Borchers, Executive Director, jQuery Foundation, has sent us the following quote: “Despite significant investigation after being alerted to a potential issue, the jQuery Foundation has been unable to confirm or unearth any indication that a malicious script ever existed on our servers.”

This article was modified to reflect that statement, and to make clear that RiskIQ researchers stated that the issue was addressed by the jQuery team.

UPDATE, 24 September, 01:40 AM CET RiskIQ had this to say about their findings: “We run crawling infrastructure that scans websites for security issues, much like a user would. During a crawl, we detected the attempt to exploit our crawler, because we save the raw content that we receive from websites that we browse, we were able to definitively determine that it came from jquery.com. We were able to verify these findings with several Fortune 100 companies as well, who had seen the jquery-cdn.com domain with a referrer of jquery.com in their proxy logs.

Thank Zorz, for the above content.

For more badware samples, go to here; and for solutions on how to troubleshoot software issues on Windows, browse this Help Desk. Plus, be careful with those sponsored search results, ads and so on so you can secure your OS from those annoying PUPs. Some hot keyword could bring the unwanted Spyhunter 4 to you.

At your request…

 

Leave a comment