Obfuscated (hidden) Javascript attacks were popular amongst criminal hackers a couple of years ago, and were widely reported by several vendors, who developed heuristic scanning solutions to counter the problem, Infosecurity notes.
Now they appear to be making a comeback as, in its June 2010 threat landscape, Fortinet says that obfuscated Javascript attacks, as well as new variations of the Sasfis botnet, have entered the malware Top 10 list.
Sasfis, which has been competing with the Pushdo botnet in terms of sheer volume, was very active this month, says the company.
Derek Manky, Fortinet 's project manager for cybersecurity and threat research, said that his team have observed Sasfis loading a spambot component, which was heavily used to send out binary copies of itself in an aggressive seeding campaign.
"The Sasfis socially-engineered emails typically had two themes; one looked like a fake UPS Invoice attachment, and the other was disguised as a fees statement. Much like the Pushdo and Bredolab botnets, Sasfis is a loader – the spambot agent is just one of multiple components downloaded", he said.
On the Javascript front, Manky said that JS/Redir.BK – an obfuscated JavaScript code attack – underwent a surge of activity on June 12/13. The JavaScript code, he says, redirected users to various legitimate domains hosting an injected HTML page named "z.htm."
In one attack, the HTML containing the malicious JavaScript code was attached as the file "open.htm" in an e-mail urging the user to update their MS Outlook client.
The exact same email also circulated with a FakeAV binary attachment, once again proving that spam templates are often recycled for various attacks.
In another example, a 'bad news' email socially engineered for the FIFA World Cup, had the same malicious JavaScript attached through a file named "news.html."
Manky says there is no doubt that JavaScript is one of the most popular languages used today for attacks.
"It is used in a growing number of poisoned document attacks (PDF), particularly with heap-spray based techniques. It's also used to launch exploits, and it is popular as a browser redirector to malicious sites, since the JavaScript code can be obfuscated and appear to be more complex than traditional IFrame based attacks from the past", he said.