Downloader Trojan

[Andrew]

I received two emails from readers who recently visited the site and received antivirus alerts about the downloader trojan trying to infect their system.  Having looked through the site with my own computer, I could not get the same alerts (I also Symantec and have the latest Java runtime - 5.0 version 7).  Nor could I locate anything in the html that was being served.

I uploaded new copies of most of the main pages to see if that helps.  However, if anyone else has seen this - can you tell me where you were at (or had recently looked at) when the alert popped up?  It would make the most sense for it to be here on the message board or in the comments system.

[Andrew]

Trek_geezer just let me know this popped up again. I located the code this time and it was specifically targeted at the homepage and the bottom navigator.  If I have to guess, someone has compromised the admin account on the shared server (I am on a VPS, just a handful of domains on the server) and the modification was targeted.  Since I cannot chase it down by checking all the logs myself, I alerted the Hostgator admins.

Please be careful until I get some resolution on this.  The latest version of Java seems safe, since it did not download the trojan when I checked.  The latest version is 5.0, update 7.  This is something that every computer should be using.  The install can be found here:

http://java.sun.com/j2se/1.5.0/download.jsp

What you want is, most often (unless you are a developer) JRE 5.0, Update 7.  You should always keep your Java up to date, as it is a common target for worms, trojans, and such.

[odinn7]

Thanks for letting us know about this Andrew.

[ulthar]

Andrew,

Are they running tripwire (or similar) on the server?  If not, you might try something like this too-simple  home-grown solution.

If you are on good terms with the guys on your host (or have root access directly), could you not put a daily cron job to

(1) calc. the md5 hash of your key (static) files
(2) email you if it is different from a 'reference' value

This MAY help catch cases of tampering with your static html files.

Of course, if root is compromised, the cracker might see this and trojan it, too.  Perhaps better is to just email you the hashes and you do the comparison on the client side.

But, of course, if they get root, all bets are pretty much off if they do any real damage.

[Ed, Ego and Superego]

Ulthar,
 WOW that looked like an episode of Start Trek with that techie talk.  I am absolutely in awe and jealous.  
But I use the word s"Acetoxymethyl Ester" on a daily basis so I can't complain too much.  
Great work guys!
-Ed

[Fearless Freep]

Oh he was just explaining what happenes Andrew could do if he got pwned

[Ash]

I downloaded the Java update.
So far, I haven't noticed anything out of the ordinary here on the board.
(knock on wood)

Can you poast a link for a cure if any of our p.c.'s happen to get infected?

[akiratubo]

I got an alert from Avira Antivir for those trojans as soon as the front page loaded, earlier today.

[Andrew]

This should now be resolved.  I stayed up until my hosting took care of one request I had (something I could not do myself, since the site is on a VPS).  Somehow the bad guy had my ftp password, which is strange - I am careful about where I log in from and how.  The password was also not a simple one.  The problem with FTP is that the password information is passed in the clear.  If the bad guy had somehow compromised a system between me and the server at some point, that would explain it.  My definite apologies to everyone for the problem.

I can do cron jobs and such, but tripwires often do funky things.  I will make a few changes and have some ideas how to keep an eye out for something like this in the future.

Ash, I am including a link to the Symantec page about the trojan (what popped up for Ed - he sent me a link).  However, your best bet is always to keep an updated virus scan.  Not doing so is a surefire recipe for danger.  At any one point there are several unpatched exploits for Internet Explorer.  I should also point out that the downloader trojan is just that, it attempts to download more nasty stuff onto a computer.  They are not uncommon at all on the Internet.  I have seen a few sites I use infected by them at times, usually bbs posts and such - most bbs software will catch this now.

I also should mention that I use Mozillla, vice IE.  Another reason I might not have seen this - but most of the Java-based trojans I have seen rely on exploiting Java.

http://securityresponse.symantec.com/avcenter/venc/data/downloader.html

The issue should have been fixed for the last eight hours.

[AndyC]

I picked it up a couple of days ago, and yes my Java was far from up to date. Was a nasty little bugger that was difficult to dig out once it was in there. I got the virus alert as soon as I accessed the board, then noticed a few things had immediately gone wonky. Homepage had changed, and popular addresses (google, yahoo, download.com, etc.) were rerouted to a page alerting me to the spyware (throwing in a scare that my computer might also be full of hidden pornography) and offering to sell me software to clean it off. Can you imagine the nerve? Can you imagine someone too stupid to see what's going on and actually buying it?

I updated all my definitions, then ran PCcillin, AdAware, Spybot, CWShredder and Hijackthis. Each one caught something, but it was CWShredder that finally fixed the problem with Google et al. Hijackthis then found the hidden pornography (a whole mess of links to porn sites, probably put there for the anti-spyware software to find once some fool buys it).

Anyway, my computer is now probably cleaner than it's been since I first turned it on.

Hard to imagine getting infected on this board. When it happened, I couldn't understand it, because I hadn't visited any questionable sites. The warning popped up when I visited here, but it didn't make sense to me that the trojan came from here.

[Mr_Vindictive]

AndyC Wrote:
-------------------------------------------------------
> Homepage had changed, and
> popular addresses (google, yahoo, download.com,
> etc.) were rerouted to a page alerting me to the
> spyware (throwing in a scare that my computer
> might also be full of hidden pornography) and
> offering to sell me software to clean it off. Can
> you imagine the nerve? Can you imagine someone too
> stupid to see what's going on and actually buying
> it?


Actually, yeah.  A lot of people do download, and pay, for the software that is recommended by the trojan. The software never actually removes anything, just installs more spyware and crap on the PC.

[Andrew]

AndyC Wrote:
-------------------------------------------------------
> Hard to imagine getting infected on this board.
> When it happened, I couldn't understand it,
> because I hadn't visited any questionable sites.
> The warning popped up when I visited here, but it
> didn't make sense to me that the trojan came from
> here.

Which is what really annoyed me.  I had gotten an email from Alex Baumans about the issue and was looking through the site, trying to trigger something as I also pulled up source code.  Then Ed emailed me while I was doing that saying the same thing.  At that point I just uploaded new versions of most of the pages.  When the bastard who was doing things came back I saw the change (took him about an hour).  By then I was already changing passwords and doing such.  Took me most of yesterday evening to make all the changes I wanted, just in case.

Quite honestly, if I was on a dedicated server I would probably just dump Russia and most countries over there into my firewall Deny pool.  You would not believe the number of attempted attacks I see daily.  And that is with the limited log access I have on the VPS.  Most are just scripted attacks, but there must be 50 to 100 per day, at least.

[Ed, Ego and Superego]

I rebuilt my computer recently and plugged it in to start re-installing all the updates to my original version of Windows and get my virus scanner, so I essentially had a "naked computer".  I googled some help sites to reference a process I didn't recognize and within 30 seconds  I had been hijcked, virused, spywared, etc.  I wiped the machine again, just to be safe.
It was big lesson in security and a dent in my faith in humanity.  But now I am all over security.  But I say the scum who do this should be lightly boiled and then dried with a cheese grater.
-Ed

[ulthar]

Ed Wrote:
-------------------------------------------------------
>
> It was big lesson in security and a dent in my
> faith in humanity.  But now I am all over
> security.

Well, er, at least a dent on one's faith of WINDOWS.  That's where the problem lies, but that is a discussion for another day.

[Dr. Whom]

ulthar Wrote:
-------------------------------------------------------
> >
> >
> But, of course, if they get root, all bets are
> pretty much off if they do any real damage.


I must remember this one. The best technical phrase since Jon Pertwee reversed the polarity of the neutron flow.