Is there a way to detect if the HTML DOM is being modified by malware on the end user's system? I have a HTTPS protected website and recently encountered a support call where the user was seeing advertisements in my website. I have no ads in my website and we ended up running an anti virus scan on the end user's system which found and cleaned many infections after which the ads disappeared. I am unfortunately unable to provide any code samples because I don't even know where to start.
Detect if malware is tampering with website
886 views Asked by AudioBubble AtThere are 2 answers
When it comes down to it, you cannot control what happens on a computer you don't control. Sufficiently advanced malware will detect your attempt to detect it and will lie to you about the results.
that said, there are some techniques you can apply to try and make it harder for the attacker.
write your own code that knows what the that knows what your dom is supposed to look like. attacker will stop your code from running.
update the code so that interacts with your application server every so many seconds. attacker will duplicate this piece of the code and stop the original check from running.
update your code to perform a complex operation that requires a minimum known amount of time. the attacker will respond same as above
intermingle your checking code with your business logic and obfuscate everything. the attacker can create their own UI that interacts with your server and show that instead of your ui
now, just because you're on the losing side of the battle, that doesn't mean it is useless. it really depends upon who might be attacking your server, and how many resources they want to spend on the arms race with you compared to how many resources you want to spend against them
It is possible to detect DOM modifications using
MutationObserver
s (supported by all major vendors).It might be hard to detect which modification are malicious and which are not, though.
Perhaps something to look into: depending on how the malware works, you might be able to prevent the insertion (or at least execution) of
script
tags. This might stop naive malware but it's a cat and mouse game.