Detect malicious HTML/JavaScript payloads with WebInspect (e.g. ASPROX, Gumblar, Income Iframe)

JDS Australia has developed a set of Custom Checks for WebInspect that aim to detect malicious HTML/JavaScript related to automated attacks being carried out across the Internet that infect Web Applications. These malicious payloads connect to domains under the control of the attacker that deliver attacks against known vulnerabilities in commonly installed applications (e.g. Adobe Acrobat Reader and Adobe Flash, in the case of the Gumblar/Matruz payloads).

Example of WebInspect Dashboard showing detected vulnerabilities/infections

Example of WebInspect Dashboard showing detected vulnerabilities/infections

Example of WebInspect Session Vulnerability View showing information regarding the Gumblar JavaScript payload

Example of WebInspect Session Vulnerability View showing information regarding the Gumblar JavaScript payload

These Custom Checks have been bundled together within a Custom Policy for WebInspect, named ‘jds_javascriptPayloadsChecks’ (downloadable here). This Policy does not conduct any form of attack thus provides an excellent means to identify the presence and location of malicious HTML/JavaScript within any web application (think of it as a Crawl Only with a little bit of intelligence). Once this Custom Policy is imported into your instance of WebInspect you can bundle the Custom Checks with any other Policy as need be, for example you could bundle the Checks into the ‘Standard’ Policy.

In conjunjction with the use of this Custom Policy, WebInspect Users should ensure that the ‘Enable Active Content in Browser Views’ checkbox is unchecked via Edit > ApplicationSettings > General as well as turning off JavaScript within browsers used to manually navigate to any potentially infected web pages. And of course, update Adobe Acrobat Reader, Adobe Flash, and Microsoft products to the latest versions which address the known vulnerabilities being leveraged for the Gumblar/Matruz attacks.

WebInspect Users should ensure this checkbox is unchecked when dealing with potentially malicious JavaScript

WebInspect Users should ensure this checkbox is unchecked when dealing with potentially malicious JavaScript

We will endevour to keep these Custom Checks and this Custom Policy updated as new information on existing and new web application infections comes to hand, so make sure to check this article for updates.

The current Custom Checks in this Policy check for the following payloads:
ASPROX
Gumblar.cn
Income Iframe
Fake Yahoo Counter

Release Notes for ‘jds_javascriptPayloadsChecks’ Policy
version 0905211101: initial release. Note: In WebInspect v8.0, the Vulnerability Report will provide information for only one Custom Check while listing all URLs pertaining to any Custom Check, so use the WebInspect GUI to assess the scan results.

Leave a Reply