Saturday, July 16, 2011

WARNING: Trojan lurking [Update 1]

A follow up to FairFacts Media's issues with a trojan a couple of weeks ago.

Comment as posted below:

FF, The Trojans are still there. Even though your Nortons is blocking it getting onto your machine, FFM is still dirrrrty.

This post will be long..

I have been infected myself on a number of my own websites and am in the process of cleaning the mess up. I found that the trojan is downloaded in my case (Vista Ulimate) via firefox browser into C:/Program Files/Mozilla FireFox folder as executables and temp files. It also infects C:/Users/**insert your login name here**/App Data,Local.Temp folders. Norton's reports the hit as 'Web Attack: Black Hole ToolKit Website 5'. My attacks took place on 11th/12th overnight NZ time.

Haven't looked at your site using Norton's so maybe a slightly different exploit is on your site. You can see it by looking at your home page, doing a right click/view page source. At the bottom of the html code is a malicious script block about 3-4 lines long. This script will added onto every index.htm, index.html, index.php in your website. Each file will need inspecting and cleaning. If you haven't updated your website code recently, the date change on the date you got infected will be very obvious using ftp.

I have AVG, Malwarebytes and SuperAntiSpyware on my machine. None pick it up upon infection, but SAS will pick the infecting files up upon a full 3 hour scan. The mechanics of acquiring the infection seems to be via unpatched Adobe, Microsoft Office and Java products. You know how we all see those Adobe and Java updates on the taskbar and we ignore them till a better time? Well don't. Do them ASAP.

I suspect you will have similar issues, both on your machine and on your website. I do not really understand how I am getting infected initially, but on clearing some of my websites, the problem there has been gone for 30 hours. There is a whole lot of redirection going on with the exploit which I am still trying to nut out. But by visiting infected sites like FFM, the folders on my machine are still being infected.

Hope this helps, be careful out there.

[Update 1]

The exploit relies on your browser having Javascript enabled. A common setting for those who want enhanced browser features. I have done some more testing and reading. More here and here.

By disabling Javascript, the malicious script tacked into each page of an infected website cannot run and you stay clean. Conversely, enabling Javascript allows the malicious script to run, resulting in initial infection. How the website gets infected remains a mystery.

My infected websites (not PM of NZ at Blogger) download and creates a .mht file in C:\Users\****\AppData\local\Temp folder. This file contains some pix and other code which will be presented to at some future time as the infamous "Your machine is infected, take URGENT action now by clicking here..." security window which you may see occasionally as you flog around the net. A window which is damned difficult to close if you are a Joe Bloggs user. That is the beginning. Multiple .mht files are created as you go from page to page in the infected site.

On FFM's website, his variant of the infection at initial download a sub-folder is created, called 'plugintmp' which contains the exploits. In FFM's case, the exploits are targeting Adobe products, by allowing full cross domain access from an external site. This is the dangerous part.

From there I can only assume that at some time in the future the "security window" is presented, you click on it, some more downloads happen and hey presto, you are now part of the problem! Somehow those plugin files you downloaded earlier get over to Mozilla folders (or whatever browser you're using) and activate the plugins, so next time you open an Adobe .pdf file, bang the real infection takes place. Other plugins are downloaded along with malicious executables. From there your passwords (including FTP passwords as in my case) are harvested and any websites you have direct access to will be infected at their leisure, replicating the whole process.

No comments: