07 Jan, 2025

Unmasking JS/Agent Trojans: Restoring and Protecting Your Website from Silent Threats

Learn how to detect, remove, and prevent JS/Agent Trojans from compromising your website's security. This comprehensive guide provides step-by-step instructions for cleaning malicious JavaScript and protecting your site from silent threats.
Recently, we've encountered many cases of websites being flagged and blocked by antiviruses due to the malicious JavaScript code known as the JS/Agent family.

This Trojan family, known for its ability to compromise system security and steal sensitive data, can pose a significant threat to website owners and visitors.

To address this issue effectively, we've compiled a comprehensive guide outlining the steps you can take to remediate your website and remove the JS/Agent infection.

Following these procedures can restore your website's functionality and protect your visitors from potential harm.

What is JS/Agent Trojans family

JS/Agent is a specific detection name used by various antivirus solutions to identify a type of malicious JavaScript code, often associated with drive-by downloads, phishing, or other forms of web-based attacks.

JS/Agent is a large family of malware, which includes many variations of malicious JavaScript code designed to exploit vulnerabilities in browsers or other software.

Antivirus vendors may use other names for the same or similar malware, but many modern antivirus solutions can detect JS/Agent variants.

Here's a list of well-known antivirus products and how they name such threats:

  • Kaspersky: HEUR.Script.Generic or JS.Agent.gen
  • Malwarebytes: Trojan.JS.Agent or JS.Agent
  • ESET NOD32: JS/Agent.NLF
  • Sophos: JS/Agent-BXX
  • McAfee: JS/Agent.gen or JS/Downloader.

How Websites Can Become Infected with Malicious JavaScript

Malicious JavaScript, like JS/Agent.RCS, can infiltrate websites through various avenues:

Compromised Hosting Environments: If your website's hosting server is compromised, an attacker can inject malicious code into your website's files. This can happen through vulnerabilities in the server's operating system, web server software, or other software running on the server.

Third-Party Plugins and Widgets: Many websites use third-party plugins or widgets to enhance their functionality. If these plugins or widgets contain vulnerabilities, an attacker could exploit them to inject malicious JavaScript into your website.

Phishing Attacks: Phishing attacks trick website owners into revealing sensitive information or downloading malicious software. If a website owner falls victim to a phishing attack, their website could be compromised and infected with malicious JavaScript.

SQL Injection Attacks: SQL injection attacks exploit vulnerabilities in web applications to inject malicious SQL code into a database. This can lead to executing arbitrary SQL commands, including those that can be used to inject malicious JavaScript into a website.

Cross-Site Scripting (XSS) Attacks: XSS attacks occur when malicious scripts are injected into a web page and then executed by the user's browser. This can allow an attacker to steal user data, hijack sessions, or redirect users to malicious websites. Unpatched Vulnerabilities: Websites not up-to-date with the latest security patches are more vulnerable to attack. Outdated software may contain known vulnerabilities that attackers can exploit to inject malicious JavaScript.

Malware Cleanup Preparations

Before beginning the malware investigation and cleanup process, it is crucial to back up your website entirely, including all files and the backend database. This ensures that you can restore your website to its previous state in case any part of the removal process corrupts it or inadvertently deletes essential components.

Follow these steps for a proper backup:

  1. File Backup: Make sure to copy all files associated with your website, such as HTML, PHP, CSS, and JavaScript files, as well as any media files.
  2. Database Backup: Export your entire database, including all tables, data, and structure. This is critical for dynamic websites, as it stores all your site's content and configurations.

This precautionary step can save significant time and effort if removing malware (like injected malicious JavaScript or other infected components) results in further issues. A working backup enables you to revert any unintended changes while cleaning up the malware properly. Always store the backup in a secure location, separate from your website server, to avoid reinfection.

Clean Website Cache

Clearing your website's cache is essential during malware cleanup, especially after addressing infected components. Malicious scripts or JavaScript Trojans can often linger in the cache, even after the original malicious plugin or component has been updated to a clean version.

Follow these steps to clear the cache effectively:

  1. Plugin or System Cache: If you use a content management system (CMS) like WordPress, Joomla, or Drupal, locate the cache-clearing options within the CMS settings or in any installed caching plugins. These tools typically allow for complete cache deletion with a single click.
  2. Server-Side Cache: If your website uses server-side caching (e.g., NGINX, Varnish, or Apache cache), clear these caches as well. You can do this through your hosting control panel or by contacting your hosting provider for assistance.
  3. Content Delivery Network (CDN) Cache: If you use a CDN service, clear the cache at the CDN level to ensure any cached malicious content stored on external servers is removed.

Clearing all levels of the cache can prevent reinfections by ensuring that any remaining malware, especially in cached JavaScript files, is entirely removed from your website.

Recover a Website from a Working Backup

Restoring your website from a working backup is the quickest and most efficient way to recover from a malware infection. This is why daily backups are highly recommended, as they allow you to return to business with minimal downtime.

Here's how to recover your website from a backup:

  • Access Your Backup: Identify the most recent clean backup before the malware infection. This backup should include both your website files and the backend database.
  • Restore Files: Use your web hosting control panel or FTP to upload and overwrite all infected files with the clean versions from your backup.
  • Ensure all necessary website files, including themes, plugins, and media files, are correctly restored.
  • Restore Database: If your website relies on a database (e.g., WordPress, Joomla), use your hosting panel's database management tool (like phpMyAdmin) to restore the clean database backup. This will ensure that any infected data or malicious SQL injections are removed.
  • Verify and Test: After restoration, thoroughly check your website to ensure everything functions correctly.

Restoring from a backup allows you to quickly resume operations while you focus on improving your website's security to prevent future infections.

Finding Malware Infections in Website Source Files

When malware infects your website, finding and removing the infected components can be a delicate process. Here's a step-by-step guide to help you identify malware in your website's source files and safely clean it.

1. Dump Website Source Files and Scan with Antivirus

The first step in identifying malware is to download a copy of your entire website source files onto your local machine. Here's how to proceed:

  • Dump the Files: Use FTP, SFTP, or your hosting control panel to download all the files from your website's server.
  • Scan the Files Locally: Once the website files are on your desktop, run a full scan using the same antivirus software that has flagged your website as infected. The antivirus should be able to detect the same malware locally and provide information about the infected files.
  • Compare CMS Files: If your website uses a Content Management System (CMS) like WordPress, Joomla, or Drupal, compare the infected files with clean versions from the CMS's source. For example, if a theme or plugin file is flagged, download the original version and replace the corrupted files with clean ones. Most CMS platforms provide access to their core files, which can help with the comparison and cleanup process.

2. Compare Website Files with Old Backup

If the antivirus scan does not locate the malware or cannot clean it, the next step is to compare your website's current state with an older, clean backup.

This method can reveal new or modified files injected with malicious code.

Use File Comparison Tools: Tools like WinMerge, Beyond Compare, or DiffMerge can help you compare the current files to those from a previous backup.

These tools highlight differences between the two versions, making it easier to spot files that have been modified or added.

Identify Suspicious Changes: Pay close attention to new files or unexplained changes to core CMS files, configuration files, or scripts that weren't present in your previous backup.
Malware often comes in the form of unfamiliar file names or strange code within existing files.
This comparison process helps you zero in on malicious changes that antivirus software could have missed.

3. Search for Obfuscated JavaScript or PHP Code

A common characteristic of malware, especially within the JS/Agent family, is the use of obfuscated JavaScript or PHP code. Obfuscation is a method where the code is deliberately made unreadable to hide its true purpose.

  • Look for Signs of Obfuscation: Obfuscated code typically looks like random strings, unreadable variables, or functions with complex and nonsensical names. It may also include base64-encoded strings, often used to hide malware payloads.
  • Common Locations: Malicious JavaScript is frequently injected into HTML files, theme or plugin files, or even core CMS files. PHP-based malware is often embedded in files like functions.php, header.php, or index.php in WordPress or other CMSs.
  • Decode Obfuscated Code: If you find code that appears obfuscated, try decoding it to understand its purpose. You can use online tools like JS Beautifier or PHP Unobfuscators to clean up the code for review. Be cautious with manual removal. Manually removing malware from infected files requires extreme caution, as one wrong deletion could break your website.

Finding Malware Infection in a Website Database

If scanning your website's source files yields no signs of malware, the next step is to investigate the database for potential infections. Malicious code is often injected directly into the database, especially for dynamic websites using a CMS like WordPress, Joomla, or Drupal.

Follow these steps to find malware in your website's database:

  1. Dump the Database: Export the entire database using tools like phpMyAdmin or your hosting control panel's database management feature. This will give you a local copy of the database to inspect.
  2. Search for Malicious Code in Script Tags: Look for <script></script> tags. Malware is frequently injected between <script></script> tags, especially as obfuscated JavaScript or malicious links. You can open the database dump in a text editor and search for all occurrences of <script>. This can help identify injected code not part of your website's original content.
  3. Check for Additions in Existing Scripts: Sometimes, malware is appended to legitimate scripts, making it harder to detect. Carefully inspect the content within any existing <script> tags to spot unexpected additions.
  4. Compare with a Previous Database Dump: If you have an older, clean database backup, compare it with the current dump. Use a file comparison tool like WinMerge or DiffMerge to highlight any differences. Malicious injections usually appear as newly added script tags, unfamiliar content, or appended code in legitimate sections. By examining the database for malicious scripts or discrepancies between versions, you can pinpoint and remove infections that might have escaped detection in your website files.

Conclusion

By following the mentioned steps, you can effectively locate and remove malware from your website's source files while minimizing the risk of causing additional damage during the cleanup process.

Save this complete guide for future reference:
  1. https://blog.quttera.com/post/website-malware-removal-guide-part-1-preparation/
  2. https://blog.quttera.com/post/website-malware-removal-guide-part-2-the-cleanup-process/
  3. https://blog.quttera.com/post/website-malware-removal-guide-part-3-post-cleanup-and-hardening/

After successfully removing the malware from your source files, take the following steps to secure your website and prevent reinfection:

  1. Update Everything: Make sure your CMS, themes, plugins, and third-party software are updated to the latest version. Outdated software is a common attack vector.
  2. Strengthen Security: Implement security measures like using a web application firewall (WAF), installing a security plugin, and regularly scanning for vulnerabilities.
  3. Monitor Your Site: Monitor your website for suspicious activity and perform regular security audits to ensure no new malware infections occur.

If you need help, Quttera offers comprehensive assistance. Our website security software is designed to remove malware infiltrating your site from nulled products or other sources.

Additionally, our security experts can help you identify potential risks and implement strategies to prevent future threats, ensuring the safety of your website, data, and customers.

Contact us today to learn more.