The code in the site pages inserts a trojan that steals access passwords and is often not detected by antivirus programs.
A similar epidemic began in late 2006 – early 2007. Site owners are faced with an unpleasant situation. When you open the index page of the site (it doesn’t matter, paid hosting of sites or free of charge) a Trojan virus began to load onto the computer. It turns out that changes were made to the page code – a link to the virus carrier website was added, from which the Trojan itself was downloaded. Some index pages were “erased” in general, that is, there was not a single tag left on the pages, and as a result, just a blank screen was visible.
Accordingly, a wave of claims and accusations to hosts swept, because of the “hacking” of users’ hosts, which took on such a scale that it was fit to blame hosts, but they had nothing to do with it, it was almost 99% found out when analyzing the system logs.
The essence of the changes is that the page code appears on the index.html page (or index.php, etc.):
iframe src = // link_narious_site_containing_virus
The iframe tag is usually with the width = “0” value and height = “0”, which means that you will not see the opening window of the malicious site, since the size of this window is set to zero. In recent versions, this tag is masked in every possible way by means of BASE64 encoding, so that during a quick review of the code you will not notice, and in some cases known are infections through DIV tags.
Analysis of the site infection mechanism showed the following result. The index pages were changed via FTP – LEGALL connection, i.e. no hacking of the site was done, but only logged in using the username / password of a stolen Trojan user and subsequent modification of the site files. After a more detailed study, it turned out that such behavior is inherent in the Trojan’s Pinch family program, which can bypass firewalls and antivirus programs and steals everything that can be reached, including passwords stored in IE, CuteFTP, Total Commander and a dozen different programs.
Infection itself occurs as follows:
– First, Trojan-Downloader.VBS.Psyme.fc is loaded – a Trojan program that downloads other Trojans, recently the name has been changed several times.
– It is she who loads two more viruses – Trojan-PSW.Win32.LdPinch.bik (or a modification) and Trojan.Win32.Agent.oh (optional).
The most interesting thing is that both DrWeb, and subsequently installed after it, KAV Anti-virus, determined that a Trojan was being downloaded to the computer and eliminated. One caveat: from the very beginning of downloading files from an infected site, the file new.exe was created and executed on the desktop. Files appeared in the windows folder with the names r.exe or c.exe, which the antivirus did not recognize as dangerous. According to the testimony of other users in the Windows folder could create a fake file called svchost.exe (the original is in the System32 folder). Then in the operating system processes it is difficult to determine which of the processes used by the svchost.exe program is true and which is fake. If you have this software and such a tag has appeared, then it is quite possible that it is running or modifying this virus, which manages to bypass the antivirus, or another virus works, with a similar algorithm. There is another option, and very likely. The Trojan program used belongs to rootkits (programs that are implemented in the kernel of the operating system) that are difficult to detect by antiviruses. Or, Internet Explorer 6 vulnerability is used. Here’s how it was written about: A remote user can use a specially crafted Web page to upload an arbitrary HTA file to a remote system and then execute it with the privileges of the user who launched the browser. Successful exploitation of the vulnerability will allow an attacker to execute arbitrary code on the target system.
If this trouble happened to you, follow these steps:
1. Full scan of your computer for viruses, spyware, trojans and other malicious software with antivirus software with the latest updates, for accuracy it is desirable to use antivirus software from several manufacturers.
2. Change passwords for access to all ftp accounts, DirectAdmin, billing, if you cannot change them by yourself, then you should contact the technical support service, which will generate and send you a new password to a trusted email.
3. Restore the site from backups (which you should periodically do), if you don’t have them, you can also contact the technical support department with a request for data recovery, but remember that our company backs up in case of equipment failure on a schedule week / month and therefore an already infected version of the site can be stored in a backup copy.
4. Never save passwords in programs, if you are not sure of your memory, write down for example a piece of paper on a separate carrier, although this is not true from the point of view of information security.