Malware hides behind JavaScript, PNGs to bypass browser security

Web attack uses malware encoded as images and delivered through iframe injection in a way that escapes easy detection

A newly discovered cross-site scripting attack uses a sly variant on an existing hack to deliver malware in a way that's so heavily obfuscated, even experts didn't notice it at first.

Said experts were the folks at Sucuri, the security researchers who unearthed hacks on Web servers involving rogue Apache modules and brought attention to how Google was unthinkingly spreading malware via its automated site crawlers.

The new attack, detailed by Peter Gramantik in a post in Sucuri's blog, takes some kind of award for being so heavily disguised. It began with content loaded via a hidden iframe, which by itself consisted of vanilla JavaScript. One possible hint at something being wrong surfaced right away: The JavaScript file in question was named "jquery.js", but the file loaded definitely wasn't the JavaScript Web library we all know about.

What the library did was load another file, a PNG-format image, from the same domain. Again, the image in question seemed completely innocuous. But a closer look at the jquery.js file revealed a small loop that extracted yet another script: one encoded as binary data inside the image file's metadata.

This second script then created an entirely new iframe -- one positioned offscreen to avoid being seen -- and loaded into that iframe new code, presumably hostile, from a third-party domain. As Gramantik pointed out, this constitutes a "nice little technique both for drive-by-download and SEP (Search Engine Poisoning) attacks." He also pointed out that the use of a PNG file is arbitrary, as the data could be smuggled in via any number of image types.

Web browsers have a number of obfuscated ways, many of them perfectly valid, to load or display content. A common one that has been used as a malware vector many times before is the "data:" URI. Normally it allows images to be displayed via inline code, but it's also been involved countless times to smuggle unwanted data into Web pages. Back in 2007, a Windows bug even allowed abuse of the URI system to execute arbitrary code. (It's since been patched.)

But this new exploit raises eyebrows in big part because it takes so many steps to circumvent conventional security on both the server and client side. Most malware detection can't follow such a trail all the way to the end, so this attack runs a greater risk of existing undetected. Web malware exploits servers first since one compromised server can spread malware to thousands of unsuspecting clients in short order. When the real payload isn't even present on your server, or being delivered in a way that would trip most alarms, it's even tougher to stop.

This story, "Malware hides behind JavaScript, PNGs to bypass browser security," was originally published at Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest developments in business technology news, follow on Twitter.

Copyright © 2014 IDG Communications, Inc.