Hi all - another update - my server hosts provided me with a log file early today that indicated that I had the ’Reflect’ exploit on my machine - the Modx security notice regarding this exploit is here:
http://modxcms.com/forums/index.php/topic,30875.0.html - I was unlucky in that I installed this site in November, before the reocmmended fix for this exploit was announced.
this led me to think that perhaps my problems were all related to this exploit - however something just didnt add up. After running Sophos, MalwareBytes, Norton, ZoneAlarm, Adaware, Spybot S&D, Spyware Doctor and a few others, it seems that I have finally found a virus scanner that has picked it up: Avira AntiVirus Personal.
Avira calls this exploit html/crypted.gen - it hides in hidden Internet Explorer temporary files, by the look of it and was first identified in 2007. It has also foiund a secondary exploit called HTML/Spoofing.gen. Both relate to HTML / Javascript exploits/
I found a forum where users were complaining of Myspace websites being flagged by Avira as containing a virus (way back in 2007). Their first instinct was to flag it as a false positive. This was obviously quite early in the virus phase of distribution - they had exactly the same problem thats plaguing the internet over the last month or so: encrypted javascript code that when de-encrypted quite clear shows a hidden iframe redirecting to advertising sites.
I am running avira on my machine now, and its found two infections - and am hoping for a happy resolution, in terms of removing the infection. Will keep you posted.
Just to let you know, this has taken me 6 days - (which is six days of lost work, as I cannot login to any of my customers domains without risk of comprimising the security and site) to resolve - long nights up until 3 am, then waking at 8am to continue - trying to hunt this damn thing down. The only virus scanning software that seems to have come close to identifying this virus, for me at least is Avira. This really is an incredibly nasty exploit, in terms of the damage it can do.
Doing nothing about it is simply not an option.
To emphasise the point, if you think you have the exploit ensure you do all of the following:
If you think you are infected, lock down your site - do not allow visitors to become infected, and save your site from being blacklisted by Google.
If you are infected, chances are that you will see the following indicators:
- - You Receive a warning (AVG warned me that my site was infected). NOTE: you will see the warning only once - subsequent visits to the site seem to produce no warnings, except when i visited in different browsers / machines - this happened to me.
- Internet Explorer may ask you to download an Active X control (Microsoft Database Control Update or something similar) - this control is malware installer, I believe. Do NOT install this.
- Firefox will accept the redirection automatically to the site that hosts the malware.
- Google Chrome identifies the site as hosting or redirecting to a blacklisted site hosting malware. This is probably due to Google crawling these sites and blacklisting them automatically. See my original post above.
- You may experience Adobe Acrobat launching and crashing. This is an indicator that the malware has been installed. This happened to me.
What you need to do:
- Disable Javascript in Adobe Acrobat Reader / Professional (Edit > Preferences > Disable Javascipt) - this is imperitive as Steve rightly says, Adobe have not successfully addressed this issue in any updates or through their security policy. Whether you’re infected or not, EVERYONE should do this!
- Log in to your domain control panel(s) from a seperate, clean machine and change your passwords. Do not visit the actual websites with a clean machine before you do all these steps.
- Look for obscure javascript code and iframe content that is redirecting visitors to your site within your source code. Check in both the output code from the site (ie. View > Page Source) and in your includes / javascript files, etc to confirm you have been infected. You might as well use the infected machine to do this.
- Run a virus scanner to check your machine. Obviously I would recommend Avira AntiVir first. Sophos has also been suggested, as has malwarebytes. Previously I used every single Free / Trial Virus / malware / Antispyware software with no success - others might find they remove it faster. Delete the infection.
- You should also: turn off system restore to avoid reinfection on PC restart, delete all your temporary files in IE / FF and whatever browser you use, and do a disk cleanup to remove temporary files / temporary internet files, before you run your virus scan.
Once you are clean
- log into your domains using Secure FTP (SFTP) option.
- Do not save your passwords in Dreamweaver, FileZilla or any other FTP program.
- Restore your site from a backup if you have one.
I hope this information helps - I wouldnt wish this experience on anyone else.
Dan.