Researchers notice massive increase in malicious jQuery libraries

The number of injected jQuery files is on the rise.

Researchers at Trustwave's SpiderLabs have noticed a rather large uptick in the number of jQuery files that have been injected with malicious code over the last few months. The actors behind the hijackings are using their code to serve up fake software updates, including alleged Adobe Flash Player installations.

In a blog post on the subject, Trustwave's Ben Hayak and Rami Kogan said:

"We hear a lot about various techniques and vulnerabilities used to inject malicious code into webpages.  Sometimes, for the attackers, the focus is not on how to get the code there, but how to hide it in order to keep it there for as long as possible.  It seems that as of late injecting malicious code into jQuery is one of attacker's favorite methods for doing so."

There were 39 new malicious jQuery libraries placed online in the 24-hours of the blog post being written, but that is only a small sample of the overall problem. Over the last six months, researchers have noted a 160 percent jump in the number of injected libraries.

jQuery is a feature-packed JavaScript library commonly used in various web applications. It's the base for many add-on scripts and plug-ins including imaging and editing on platforms such as Drupal and WordPress. It's popular because of speed and efficiency, but that's also why criminals are able to hijack it with ease.

As the researchers note:

"In this case, speed and efficiency have higher priority than human readability; therefore jQuery includes only essential features to keep the code tight and focused by using minimal variable and function names, minimal use of spaces, no comments, etc. In addition, developers usually use jQuery libraries as a plug-and-play product, which doesn’t require maintenance apart from library updates. Because jQuery libraries are minified and infrequently reviewed by those using them, jQuery becomes a good place to hide malicious code."

The best defense against having your code hijacked like this is a solid offense, including change monitoring on the code, and consistent code reviews of scripts and libraries. Moreover, regular code audits will also help spot problems should the code become compromised.

To comment on this article and other CSO content, visit our Facebook page or our Twitter stream.
Insider: Hacking the elections: myths and realities
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.