Fake jQuery Website Serving Redirection Malware

This just in, hot off the press, careful with the jQuery libraries you’re using on your websites.

We received word from @chris_olbekson via Twitter about some hacks being reported on the WordPress forums:

The tweet links to a the fake jQuery domain being used to distribute the malware (jquerys.com). If you click on the domain, it does a simple redirect to the correct jQuery website – jquery.com. Don’t let that fool you, it’s not a nice site.

Chris also linked a ticket that was submitted to the official jQuery Bug tracker notifying there was some funny business going on. The ticket was closed as invalid.

So what’s the happs?

We went on to check the script that is being loaded and masking itself as a legitimate source. It is being loaded from www.jquerys.org/class/jquery-1.6.3.min.js – looks fairly legit, until you analyze the domain name which adds an “s”.

When you check out the code in the script, you can quickly tell something’s not right.

The script starts with a function to open a new window:

        function doOpen(url)
        {
                if ( puShown == true )
                {
                        return true;
                }
 
                win = window.open(url, 'wmPu', 'width=1200,
height=800,scrollbars=yes,toolbar=no,location=no,resizable=yes');

                if ( win )
                {
                        win.blur();
                        window.focus();
                        puShown = true;
                }
                return win;
        }

It then ends with the link to the malicious website:

        function checkTarget(e)
        {
        	if ( !getCookie('popundr') ) {
                var e = e || window.event;
                var win = doOpen('http://www.watchliveonline.org');
		win.blur();
                window.focus();
	        setcookie('popundr', 1, time() + (1 * 48 * 60 * 60))
        	}
        }

The website called in the script is already blacklisted by Google:

What’s it really do?

Ultimately the fake jQuery script loads a window that pops up the www.watchliveonline.org website. From some quick research we could see that this is nothing new, it has been active for over a month. The ultimate risk from what we could tell is the pop up leads you to a spammy site, no payload or other issues were found at time of analysis.

What should you do.

Check your jQuery includes to make sure they are are from a legit source. If they are coming from jquerys.com, remove it immediately.

The overall impact is not severe, but if you don’t want to be serving spammy pop-ups, it’s probably a good idea to take a look at your libraries and where they’re linked from.

You can also easily check if your running a bad version by running a free scan via Sucuri SiteCheck.

If you have any questions, leave a comment below. If you’re infected with malware, take a look at Sucuri.net, the industry standard in website monitoring and malware removal.

Read more: Fake jQuery Website Serving Redirection Malware