Home / malware

PDF

Trojan:JS/HideLink.A

First posted on 26 June 2015.
Source: Microsoft

Aliases :

There are no other names known for Trojan:JS/HideLink.A.

Explanation :

Threat behavior

Installation

We have seen this malicious JavaScript file added to compromised websites running vulnerable versions of Joomla and WordPress. In some cases, it can be an infected Joomla or WordPress template or module.

Payload

Adds hidden website content

This threat hides content off the screen of websites you are viewing.

The malicious JavaScript is added to the HTML content of the compromised webpage, just before the section. You can find this code by searching the HTML content of the website for €œdocument.write(€. An example of the malicious code is shown below:



When this JavaScript is run, the document.write() adds the following code to the page:

This code places the class named dnn off the screen, so the user will not see its content. Inside the class dnn, there is typically text and links that are used to improve the search engine result ranking of the tageted websites. For example, we have seem it hiding links to €œAdvanced Cash€:





Analysis by Geoff McDonald


Symptoms

Alerts from your security software might be the only symptom.

Last update 26 June 2015

 

TOP