Recently we had been reported of some occurrences of instances where a few sites were detected trying to install some Malicious scripts (Virus) or Trojan on the visitors computers. It is requested that any such observation where any suspicious activity is taking place may immediately be brought to our notice, so that we can take appropriate actions to avoid any unpleasant experiences later. Please find the following details for your references and awareness about this issue.
# The reason why this virus comes is only because of the either of the following:
- You have a weak or vulnerable code on your website which is exploited by a hacker.
- Your FTP password is weak and generally a dictionary word which is cracked by brute force attempts.
# How Iframe Virus Works?
The hackers behind this have not actually “hacked” into servers, but are using the Webs OWN programming errors to inject this code into search results pages created by the websites own internal search engines!
The hacker searches for popular keywords (like “furniture” on the Wal-Mart website) using its internal search engine. But instead of running a normal search, the hacker adds on an HTML command to the end of his search string. This command then opens up an invisible “iframe” window in the victims browser which then redirects to a malicious website, which then (if successful) installs fake antispyware or a version of the “Zlob Trojan Horse” - a malware on the victims computer.
These hackers actually have great Google rankings too! and in order to boost their Google rankings, websites often save a copy of these search results and submit them to Google. When a victim searches Google for the keyword, these cached search results then pop up, with the malicious code now inside them.
# How the hack is done?
- Client side PC gets infected with the virus from the search results.
- Virus gets FTP username/password from the FTP clients.
- Using the username/password, the virus then downloads the index files, adds the iframe code in it and re-uploads it to the web server.
- The iframe code points to the same virus. So, anyone accessing this website gets infected with the same virus, and it spreads again!!!!
- Ensure that your code is free from such kind of vulnerabilities.
- Change all the FTP passwords regularly and keep them safe and use a combination of alphabets + numbers + special characters.
- Before updating the new password in their FTP clients, perform a full system Virus scan with a reliable virus scanner updated with the latest virus definition files.
- Also try not to save (remember) the FTP username/password on FTP clients or public computers.
- Check the website files for any unrecognizable or encrypted codes that are not known to you or is not a part of the website’s function. If found then please follow the above mentioned steps and update the web pages with the proper codes.
Please feel free to contact us for any further assistance or clarification that you may require on this issue.
Posted on: Thursday, 5th March 2009 6:54 AM