OGO Sense Cleans Up Infected Javascript Files Within Joomla

Today (July 30, 2012) our support staff has identified an infection on a client website. The infection is neutralized by now and affected client notified, but all pages in Google index have been marked as dangerous. A sample page snippet in Google search engine results is shown below:

After cleaning the infection, we submitted a request to Google to re-examine the website, in order to remove the warning displayed when visiting the website from search engine or using Chrome browser.

Visiting the website in Chrome would produce the following warning screen:

More specifically, we have found that: 

1. some javascript files that are used to operate Joomla CMS have been infected by malicious code. A sample list is shown below:
       media/system/js/caption.js
       media/system/js/mootools.js
       modules/mod_fpss/includes/js/jquery.fpss.js
       plugins/system/jat3/base-themes/default/js/core.js
       plugins/system/jat3/base-themes/default/js/menu/css.js
       plugins/system/mediaobject/js/mediaobject-150.js
       plugins/system/mtupgrade/mootools.js
       plugins/system/pc_includes/ajax_1.2.js
2. the system plugin for automatic update of those javascript files was enabled within the affected Joomla CMS installation.
3. one way to minimize a chance of infections could be to change permissions to system folders, so that files cannot be modified or inserted.
4. installed antivirus and anti-malware server software may not react to these infection as they do not have the necessary definitions (updates) yet, or this infection is similar to some ordinary functions from regular Joomla components

We are in the process of investigating the issue and generating an incident report. Until the issue is completely archived and incident report completed, current clients are encouraged to contact OGO Sense if they have any questions or concerns.