My colleagues at the Stop Badware project at Berkman have a tough job. They generally interact with people when their sites have been flagged by Google as hosting some sort of badware. The vast majority of people who find themselves hosting badware are unaware that they’re doing so – their site has been compromised, usually because of an attack on their hosting provider.
When people discover that their site is listed by Google as hosting badware – and almost 230,000 URLs have been detected thus far – they’re usually pretty upset. And while my friends at StopBadware host the appeals process for Google, they’re not the ones are responsible for making the determination that a site is hosting badware. (And they are certainly not the ones who compromised a site to put the links to badware there – no, those are generally the asshats associated with the “Russian Business Network“.)
I’ve written at some length trying to explain what’s going on with these IFRAME attacks. But the Stop Badware folks have done a much more thorough job than I could with their “Trends in Badware 2007” report, which goes a long way towards explaining why people are writing and distributing malware, how it’s being distributed and how to protect yourself from it. I highly recommend it for anyone who’s running a Windows system (truth is, I just don’t experience a lot of these attacks running Mozilla on a Macintosh), but it’s worth reading for anyone interested in the state of the art of what’s unpleasant and awful on the Internet today…
I was very glad to read the profile and information you provided on your blog page 1346. My experience with this malicious script has been equally horrible.
I’ve had trouble getting McAfee to recognize and react to the danger of this threat. So I quit them. I think I became contaminated on Firefox browser while setting up my Google Blog or it could have been Oprah’s browser on their blog. There is no doubt it came directly from a blog to my computer. I created both blogs on the same day. That adds to the mysterious confusion.
I’m a webmaster. I manage 10 sites that I designed and placed on one serverhost. Last month 3 of my sites became infected with 3 different types malicious script all exploit Trojans similiar to your description.
One was my personal webmaster site -When the page opened the exploit aggresively downloaded it’s script into my viewers computers and then demanded money to remove it. I’ll call it the “aggressive ransom” exploit.
On another site was a Viagra email bouncing scheme with over 1,000 addresses. I’ll call it the “viagra scheme”
And the last was also an exploit like the “ransom” but not quit as aggressive. I’ll call it “less aggressive ransom”
For the “aggressive ransom” I wiped the hard (using an external drive because this Trojan disabled my internal drives, it also disabled lots of other options on my computer including my password entries on my WS-FTP and the serverhost.) Using WS-FTP to clean the site was hopeless because the code replaced itself within 5 seconds.
I restored the OS and reloaded all programs in my computer. I changed security companies, all passwords and removed all FTP passwords in memory. Removed all pages containing passwords from my os. Next I moved deliversuccess.com to a more secure server host under new and more difficult passwords. Finally I got that one undercontrol.
For the “viagra email one” — It was less invasive so I cleaned the files and changed the password and that worked so far. But actually this is the second time it’s been hit and cleaned.
For the “less aggressive ransom” one I cleaned the infected site and it remained clean for about 10 days – NOW ITS BACK. I was never able to change the password on the server-host. I will probably have to move it.
I can’t seem to find if the malicious code returned to my “cleaned” computer (now I know where to look) so I’m suspecting the crooks have hacked onto my server-host site.
Well that’s my on-going-sad-sad-story. It’s been more than a nightmare to me it’s been an offense as bad as I imagine rape would be.
I really feel all of today’s computer security companies have been slow to recognize the global implications of this threat. Here is a case where even government intervention may be necessary with criminal proscutions. As a free society lover, those words are hard for me to say but..what are the other options?