Monday, June 29, 2009

Sorry About All Those Viruses

My humble little website was hacked a couple months ago. A string of malicious Javascript was added to the index page. This script redirected visitors from my site to another site hosting a nasty virus. The virus exploits a vulnerability in Adobe Reader (supposedly upgrading to 9.1v fixes this hole, but I haven’t been brave enough to try it) to automatically download a malicious pdf to the visitor's computer, which installs a bogus Anti-Virus program. This “Anti-Virus” program then installs a Trojan on the user’s computer.


I figured out all the above information within a week of hearing my site was infected. I had to hear about it, because I use Firefox and not Internet Explorer, which is still what most people use for web browsing, so I didn’t notice anything wrong. The malicious script only worked in IE, because it exploited IE’s Active X controls (the IE 8 upgrade stopped the script from running, but still showed just a blank page). But what stumped me for the last couple months was how the script kept getting into my web pages. I would upload a clean copy of my index file and within 12 hours it was infected again. If it wasn’t an infected server, which my hosting company swore it wasn’t, then what was it? All I could read about were Javascript and SQL injection attacks, which I didn’t really understand and hoped weren’t relevant to my little Web 1.0 site.


Finally, after being infected with a new script, which looked like Google analytics code, I visited a Google analytics help page where others had a similar problem. After days of following postings there, I got my answer. Who needs fancy Javascript and SQL injection attacks when you can steal a person’s FTP account information right off his own computer?! That’s right, malware hidden on my computer was stealing all the info and passwords I used to upload web pages to my hosting server. What’s even more devious is the malware was gotten from another “legitimate” but compromised site. My site became yet another in the chain downloading Trojans to unsuspecting visitors (I doubt they were netting that many with mine) to steal more FTP account info stored on their computers and infect any sites they manage with the same FTP password stealing virus. What do they, whoever they are, ultimately get from all this? Anyway I think I finally removed the Trojan from my computer. I changed all my passwords and my site has been clean for a week now. I fixed it… I think.


Here are some links to articles with more info on this kind of hack:


http://www.martinsecurity.net/2009/05/20/inside-the-massive-gumblar-attacka-dentro-del-enorme-ataque-gumblar/

http://blog.trendmicro.com/stolen-ftp-credentials-key-to-gumblar-attack/

http://www.securecomputing.net.au/News/146604,beladen-website-compromises-cropping-up.aspx



"Trojan Horse", 2006

26" x 24", oil on wood



Hopefully this is the only trojan horse visitors to my site will find.


No comments:

Post a Comment