Show HN: ScriptObservatory.org – How much malicious JavaScript goes unnoticed?
scriptobservatory.orgHi all. This is a side-project I've been working on for a while now. From the FAQs page:
Why is something like this a good idea?
JavaScript, iframes, and other embedded web content have the potential to cause your browser to take unwanted and even harmful actions on your behalf, however visibility into what you're running as you browse is very limited. After-the-fact analysis of what you were sent is (in nearly all cases) outright impossible.
If you have any thoughts or want a few interesting queries to get started, get in touch. Feedback is welcome!
Can you help with any analysis of http://blog.voltagex.org/2015/10/07/malvertising-on-my-stack...?
Basically, a script started displaying really intrusive ads on StackOverflow, initially only on my Nexus 5 - the only way to get rid of them was clearing the cache. It did not happen over HTTPS. A commenter thinks it might be a compromised Google Analytics script but this doesn't sound possible.
Hmm, that sounds strange.
If you were only able to reproduce it on a Nexus 5, I don't think analysis with ScriptObservatory will be easy. I'd still suggest submitting the URLs to be scanned by the robo-browser and then looking to see if what gets reported looks similar to what you saw before.
Also, if you write a Yara rule that matches on some of the unique features in the JS/iframes you saw, you could run a search through what's been seen. You can use that to also be alerted when new matches are reported. If something similar has been seen elsewhere, you might be able to tie it to a specific ad network.
Looking at Yara rules - I won't have time today but a unique-ish string in the script was
adsbyText:"ADS BY "+
including quotes.
Yep that looks like a good string to key off of.
The results for the site you mentioned are here - https://scriptobservatory.org/webpage/543677125f1bea8226ba7c... - but I don't see anything that looks like a clear match.
Do you differentiate between http and https versions of sites?
Yes, the two are considered as if they were completely separate sites.
The only reason I haven't run it again in a VM on a desktop is that the desktop version of these ads is a lot more malicious - exe downloads of antivirus scam software