Blacklist jquery.com with NoScript

[Hyphen]

I was recently participating in a webdesign project that incorporated a little jQuery slideshow. I'm very protective of my system because I do a lot of work online like most of you. A few days ago, someone managed to get into my Gmail and this morning I was woke up by Chase informing me that a pretty trivial amount has been charged to my card.

I don't use any active AV protection because I don't open random ass files but I do use Outpost as a firewall. I had sent the design mockup page to two friends for opinions. One of them had their debit card jacked, another visited the page last night and her Microsoft Security Essentials was popping up every 5 seconds citing the following infection:

Backdoor:Win32/Cycbot.A

That's not a fun trojan at all and it has me fucked so far, doing what I can to take care of it. The only thing external being served on that entire domain is: http://code.jquery.com/jquery-1.4.2.min.js
AVG isn't an amazing source, but you can see that recently they've had a few reports about jQuery: jquery.com | Free Site Report & Safety Rating from AVG Threat Labs

Cycbot.A was first discovered by most databases on September 29th, around that exact same time.


Just as a warning, I'd go ahead and blacklist jquery.com for the time being.

 

[Rage9]

Sandbox your browser.

 

[c3ns0rd]

I don't use any active AV protection

 

[Hyphen]

As mentioned, most databases are seeing this on 29th and I doubt most heuristics are up to date on this bot anyway.

Either way, even with active AV protection, you'll still get rocked by replication:

Another who was using NOD32 never even got an alert.
in b4 courteous thread becomes a battle over whose the koolest AV/firewall to use

 

[c3ns0rd]

As mentioned, most databases are seeing this on 29th and I doubt most heuristics are up to date on this bot anyway.

Either way, even with active AV protection, you'll still get rocked by replication:

Another who was using NOD32 never even got an alert.
in b4 courteous thread becomes a battle over whose the koolest AV/firewall to use

:2gunsfiring_v1:

 

[imkazu]

worse case, reinstall your OS, and get virtualbox and install another windows on your computer.
open suspicious files there instead

 

[Hyphen]

worse case, reinstall your OS, and get virtualbox and install another windows on your computer.
open suspicious files there instead

Hi imkazu, I enjoy your blog. Two points to make:

1. No one should need to be suspicious before allowing any JS from jQuery to be executed, it's used very widely and this isn't some scenario where I opened server.exe, it's a scenario where some exploit was bundled up into one of their JS packages.
2. Even if this were the aforementioned scenario, I think most bot trojans in 2010 defeat pretty much any virtualization or sandbox software.

This sort of thing is pretty unavoidable (on fucking Windows).

 

[c3ns0rd]

This sort of thing is pretty unavoidable (on fucking Windows).

Dual boot with Linux =) :music07:

 

[KaniGT5]

get a mac broski

 

[Hyphen]

get a mac broski

Yep, next up is probably a MacBook for me.

 

[Mistik]

macbook++;

thanks for warning us hyphen! +rep

 

[Rexibit]

Just use Kaspersky Internet Security and you're good to go. They have a Mac antivirus too.

Macs are just as susceptible to viruses and software security holes as Windows. There's been plenty of backdoors found in iTunes alone (a number of which still aren't plugged) to prove that point.

 

[Spelunking]

Use googleapis.
http://ajax.googleapis.com/ajax/libs/jquery/1.4.2/jquery.min.js

 

[Magic Hat]

Does this mean I has virus from read your post? How does I get rid of virus? You need to stop posting here until you get rid of virus.

 

[LotsOfZeros]

1. Even if this were the aforementioned scenario, I think most bot trojans in 2010 defeat pretty much any virtualization or sandbox software.

I'm dying to hear your rationalization for how this can happen.

 

[Hyphen]

Use googleapis.
http://ajax.googleapis.com/ajax/libs/jquery/1.4.2/jquery.min.js

Good looks on that man, appreciate the alternative.

I'm dying to hear your rationalization for how this can happen.

I can't tell if you're serious or not. You're one of those guys who fires up VirtualBox to run ~!*ShAdY PRoGz*!~ assuming that your computer is now Iron Man? Keep on doing that as often as possible and I won't need to provide any rationalization.

 

[PeerFly]

Reason #47 to own a Mac. Unix and digitally signed software FTW.

 

[Sonny Forelli]

Use googleapis.
http://ajax.googleapis.com/ajax/libs/jquery/1.4.2/jquery.min.js

or of course just host it yourself.

I don't get why people are so against this.

 

[Kyle]

Were you hosting this landing page on a server somewhere? If so, shared or dedicated?

Either way I would go through your code very carefully and check that no malicious code has somehow been injected - there has been a lot of this happening recently, especially to outdated WP installs.

Way more likely that this is whats happened mate.

 

[Hyphen]

or of course just host it yourself.

I don't get why people are so against this.

jQuery goes through very regular updates. Calling it remotely is what most web developers do, really.

Were you hosting this landing page on a server somewhere? If so, shared or dedicated?

Either way I would go through your code very carefully and check that no malicious code has somehow been injected - there has been a lot of this happening recently, especially to outdated WP installs.

Way more likely that this is whats happened mate.

We went through it very, very extensively and it was most definitely the JS from jQuery. The page is nothing but some basic CSS/xHTML and a single inclusion of a code.jquery.com JS file, me and one of my friends who I accidentally pulled into this were pretty adamant to get to the bottom of it as I was convinced that I was paying a web designer around $1500 to bot me.