Rob's Ramblings

Friday 29 January 2010

Viruses...what a time waster!

For the last few days, I've been working on another website. It's been fun, writing code that people actually seem to be impressed by.

Yesterday, I woke up, opened up the laptop, started to play, and found myself looking at a "Windows security centre" screen and a prompt to install a "Windows Malware" program. Hmm. Now I'm not quite that gullible, so try to just close the windows, but it still pops up an installation dialogue and runs through something too quickly for me to catch and kill it in Task Manager,

So...I've been infected with a virus. It knocked out the AVG anti-virus I had on here, and seemed to block access to several websites that dealt with virus issues. Trend Micros' one-shot "housecall" did run, and spotted four "FakeAV" Trojans, and deleted them, but didn't manage to cure the problem, and indeed got knocked out when I tried to run a full scan rather than the quick one.

In the end I only managed to get rid of it using the f-secure emergency boot disc.. That's a nifty little disc that boots into and runs Linux from memory, and then can scan the NTFS disc partitions where Windows lives. All it can do is rename the infected files, rather than move them anywhere else, but that's usually enough, and it was.

Of course, making the disc was a story in itself.. Suffice to say that my wife's nifty little Dell XPS laptop white elephant couldn't even burn a CDR reliably, so I ended up using an old Acer that mostly these days tends to run software from Fisher Price for the little one!

So, after spending nearly five hours getting rid of the thing, and another three trying to re-install some anti-virus software (AVG failed to reinstall, even after uninstalling it, so I ended up with Avast) I set about looking for how on earth I had been infected in the first place.

Now I use Opera as my browser, and it usualy just opens up all the tabs I had open in the previous session. So I fire that up, and the new AV pops up a "website blocked" warning message. OK... I've got close on 40 tabs open, which one is it. And why? I thought Opera was fairly resilient to attacks. I'd been suspecting the old copy of IE6 that I had fired up for the first time in ages the previous day, to access the courtservice government website, that doesn't like Opera. So I close all the tabs that I didn't need any more, all those I'd run across when looking for something else, that sort of thing, leaving just things like my email, the bank, the stuff I was working on, etc. Close Opera and reload it - same warning. The bad website it's referring to is, so I start doing a view-source on each page in turn, looking for the reference.

And I find it - on my own website!! There's an Iframe link added to the end of the index.php page! WTF?! Has somebody hacked my FTP password? Is there a bug in the CMS that allows injection of code?

I've not looked into it too closely, but at one point I remember seeing an Adobe Acrobat warning that the document I was trying to open was written in a later version than I had installed, so might not work properly. I thought it odd at the time, as I'd not tried to open any documents, and the warning box didn't give an option to cancel the load. I suspect now that this was where the issue was - something somehow added the iframe to my page, which then included a PDF of some sort in a hidden window. This took advantage of a vulnerability in Acrobat to fire off the virus code. So Opera itself was not at fault.. At least I can press F12, turn off plugins, and carry on browsing safely.

So I check my other sites. They all have the malicious code added. That lets off the CMS, but when a simple place-holder website that has nothing more than an index.html page with a single JPEG image has been infected, then there's something else at work. I check the access logs for that site - it gets maybe one or two visits from search engines a day, and that's all it has. However the virus got there, it wasn't via an HTTP connection. It has to be server-side. Drat. This is confirmed when I look up and visit several other random web sites that are hosted on the same machine, and absolutely nothing to do with me. Everybody has the same code on their website.

I logged it with my hosting co's Tech Support, and they seem to know about it, and say they are removing the codes. But eight hours later they have still not fixed the issue. So please be careful if you visit any of my websites. (This blog is safe, as the subdomain is hosted elsewhere.) I tried removing the code manually last night, but it came back..

There's something to be learned from this. Don't just keep your browser up to date with all the security patches. Anything that provides it with a plugin is vulnerable, too. Time to go update Acrobat..

And try and work out how to catch up on a completely wasted day..

Labels: , ,


  • If you need help with this, let me know. I do this all day long. I can get you clean and safe in a few hours - tops.

    By Blogger Unknown, At 31 January 2010 at 22:35  

  • Thanks; I think I'm clean again now - scanned the home system a couple of times with different software, and it's not come up with anything. The webhost seems to have managed to get rid of everything at their end, too, fingers crossed.

    By Blogger rob, At 31 January 2010 at 22:38  

Post a Comment

Subscribe to Post Comments [Atom]

<< Home