Malware Virus & What You Should Know About It
Here is a guest post by my blogging buddy Plin of myfrugalways.com, he helps us understand what happens when we are hit with the dreaded “Reported Attack Site” on our blogs and how, what, and why this happens.
Plin:
Here is a post I wrote up. Hope this helps people that is looking for more information regarding Malware.
Here is the definition of Malware from Wikipedia http://en.wikipedia.org/wiki/Malware
Malware, short for malicious software, is software designed to infiltrate a computer without the owner’s informed consent. The expression is a genereal term used by computer professionals to mean a variety of forms of hostile, intrusive, or annoying software or program code.
There are many different types of Malware including computer virus, worms, trojan horse, ect. Each different types of malware varies in the way they infect the user’s computer and how much control the Malware has. One of the most common issues bloggers encounter is known as iframe injection attack. In an iframe injection attack, the malware inserts a piece of code that looks like:
/<iframe src=”*some bad website*//” width=1 height=1style=”visibility:hidden;position:absolute”></iframe>/
into your code base. The most common target files are index.* since it is the first page loaded by any website. Essentially what the </iframe/> code does is it forwards your website to the bad website. As a result if a user visits your site they will be directed to another site that might be filled with even more malware.
There are numerous ways in which the malware can infect your account but two of the most common ways are a result of hosting servers and ‘FTP. In the case of hosting servers, some hosting company does setup their security setting properly and as a result when an account is comprise the hacker gains access to other accounts as well. E.g. suppose JJ and my blog sits on the same server and I am running a very old version of WordPress. If a hacker hacks my account and the security is not set up properly, he can now access JJ’s files too even though JJ is very vigilant in keeping her copy of wordpress up to date. This is a known problem for some of the hosting company and it is why one should be wary of free/cheap hosting solutions. If you have ssh access to your account, make sure to change the permission of your files to the highest level.
2. FTP password. Most bloggers work on their wordpress files on their local computer before FTP the files to the server. As a result FTP passwords are often a target of malware. If you visited some unclean website, your computer can be infected with malware that sniffs for FTP passwords. The moment when you upload your files to your FTP account, the password is captured by the hacker and they can now automate the iframe code insertion process using your FTP password. In fact, it is better to use secure FTP (SFTP) so the data exchange between your computer and the server can’t be easily sniffed.
To cleanup after an iframe injection attack:
>Keep your anti-virus software updated on your home computer
>Update your WordPress to the last version. WordPress is known for security flows and they constantly release security patches.
>Change all your passwords. A good password should have a mix of upper case, lower case, and numbers.
>Avoid use applications that requires your password in on a public computer. Internet cafes are especially deadly.
>Check all your wordpress files for <iframe> tag and remove them. The key files are index.* However, other files might also be affected.
>Investigate how the attack was originated. This one is a little more difficult but I would suggest try to think whether you have downloaded unknown software recently
.
Some good blogging practice to keep your account safe:
>Rename your administrator account to something other to admin or administrator account. This will prevent attacks where the malware uses admin as username and simply try all the words in the dictionary. (Hint: using dictionary words as password is a very bad idea)
>Backup your database on a scheduled basis.
Cheers Plin,momscashblog note: I had a couple of questions that “I” still didn’t understand after the guest post so I wrote to Plin and he suggested that we use these questions in the post. So here goes. My question was in the first part of your post you mention that we “should check all WordPress files for <iframe> tag & remove them. “Where do we find this in WP under what title/tag and what will it look like when we see it?”
Plin: When you create your wordpress account what you are setting up is a set of files. The main ones are:
index.php
footer.php
header.php
page.php
search.php
sidebar.php
single.php
index.php is the starting page of your website. Those files are placed on the server. You can also access it after you log into wp-admin. Under Appearance there is an Editor tab. You will see a index.php page.
momscashblog: You mention to “keep your anti-virus software updated”, what software do you suggest? I use Spybot and AVG do these take care of malware or do you recommend something better?
Plin: I usually use Norton. I think the key aspect is even with anti-virus software, you should keep anti-virus software updated.
I encourage everyone to write in with any questions that are still unclear about malware & virus attacks to our blogs. If you are not familiar with what goes on behind the scenes of our WordPress as I will admit I am at times then please leave comments or questions for Plin & myself and I have no doubt Plin (lol) will answer them for you. If you have a webmaster that maintains your blog for you (as I do, thank you Lloyd) I think it’s still important for all of us to at least be aware of things that look suspicious before you get the dreaded attack site. Now is the time to take some control over our own blogs and educate ourselves on some of the things that make our blogs work, things that we just take for granted. Don’t be afraid to ask any question no matter how simple or hard you think it is to understand, especially any new bloggers just ask it! Thanks to Plin and all of you & I hope this guest post will help even just one person out there to prevent their blog from going off line. JJ
Comments
That’s an excellent write-up.
I would like to add to it by explaining a little more in-depth what the virus that steals the FTP passwords does, and why hackers do this.
The virus is very adept at determining the current anti-virus software installed on the infected PC. It does this so that it can “morph” into something the anti-virus software won’t detect. It then disables the updates.
This virus steals the FTP login credentials in a variety of ways.
First, it knows that some popular FTP programs store their username and passwords in an unencrypted format in files. It searches for these files, opens them, read them and sends the contents to a server which then carries out the website infections. Everybody is looking for free software. Well many of the free FTP programs store their usernames and passwords in plain text.
So, to defend against this, many people stop storing their FTP username and password and feel they’re safe.
However, the second way the virus works is by acting as a keyboard logger. This records all your keystrokes. When you type in your FTP login credentials, it records them, sends them to a server and carries out the website infection.
The third way the virus works is by “sniffing” the outbound FTP traffic from the infected PC. Since FTP transmits all data, including the login credentials, in plain text, it’s quite easy for the virus to capture this information, send it to a server and, well, you get the point.
Keep in mind that when the above methods are used, there will be evidence of the infected webpages being uploaded in the FTP logs. Quite often though, people don’t ever read those but the IP address of the infectious server will be the source IP address.
The fourth way the virus works is by injecting the malicious iframe into the FTP data stream as it leaves the infected PC. Let’s say you’ve made some changes to a webpage on your PC. You then FTP it up to your site, as the file is being uploaded to the website, the virus injects it’s code. So the webpage on your PC looks fine. By the time it gets to the webserver, it’s infected. This method will not leave any evidence in the FTP logs because the source IP address in the log file is yours.
The fifth and final way the virus works, that we’ve seen, is that it waits for you to FTP something to your website. When you do, it also uploads an infected webpage, different than the one you’re uploading, to your website. This one we’ve just started seeing recently. But we have tested it. We’ve sent webpages to a website and then watched as a different webpage is uploaded at the exact same time as the file we uploaded. So again, there is no evidence in the log file because it originated from our PC at the exact same time.
This comment is getting long but I promised I’d also explain why hackers do this.
Money.
They make money from infected PCs. What better way to infect PCs than with a “drive-by download”? Just by people viewing those infectious websites, they run the risk of being infected. Once they’re infected, the hackers can install other malware on their PCs which they, the hackers, get paid for.
It’s no longer about showing the world what they can do. They now profit from their craft.
Money, it’s what makes the world turn.
[...] More: Malware Virus & What You Should Know About it | Moms Cash Blog [...]
Hey Thomas, Wow! Thanks for the extra information that you offered here, this is what I was hoping for. To get a forum going where as people who know about this malware and those of us who don’t know can give opinions and informational instructions for all of us to learn from. I must admit I’m still a little fuzzy about where we find the IP address of the “money sucker’s hackers”. I want to know who did this, and I know I can’t make it personal by saying who did this to “me”, but when this does happen it does feel like it was “done to you.” Thanks again for comment. jj
Wow thanks for the info.
Will take a lot more care in future.
Make sure all my internet activities are covered by full protection.
Malware viruses are ones that knowingly or unknowingly run in the background and track your surfing habits. This is the reason why one gets so many unwanted pop up ads for anti virus or free pc scan.
This is a must read for anyone using computers. All my work is from website (eCommerce) blogging where malware could cripple my business. Thanks for getting the research done for the rest of us.
Hi Thomas,
Thanks for the additional information regarding FTP!
thank ya..this information is very important for me..good luck..
Thanks for stopping by and I’m glad that this information may help you or anyone out there beware of what Malware Virus is & what it can do to one’s blog.
Very interesting post!
Thank you very much!
Thanks for this useful information. I also use WordPress on a shared hosting account so I know I’ve got to watch out for this too.
Hey David, Thanks for dropping by and I’m glad you found it interesting. It is useful information… for sure!
Batching System, I’m glad you found this info. useful to you and your website and yes we all have to watch out for any of the signs that Plin has mentioned here in his post. Better to know and learn about it now before one gets hit by the deadly virus!! It’s not fun I can tell you that much and a lot of work just to get back online. Thanks for dropping by. jj
great info JJ!
Hey! Just found one of your videos from youtube.. the one that was talking about SurveySavvy and I thought I’d stop by and check out your blog.
I’m also into the make money online world.. into survey sites and all that.. looking to keep learning and find new ways to earn!
I really like your blog and I can see you’ve put alot of effort into it.
I also have a blog.. hopefully you stop by and visit as well.
Anyway.. wanted to wish you best of luck, and I read a post a little lower down where you were in a coma and all that. Wow life can be so unpredictable huh? Hope you’re much better now and keep up the great work on your blog!
TriNi
I think JJ has given up on blogging –
Oh where Oh where has JJ gone?
Oh where, oh where can she be?
I really hate malware and spyware. Thanks for the heads up and the techniques to combat them. Much appreciated!
Ah, I had been wondering what causes that “Reported Attack Site” message. But I had no idea it’s this complicated to solve, I just thought it meant that there was something not-quite-innocent about the way the site was coded or something. Good information… -Susan
I agree that malwares are getting much more complex now days. quite frankly its getting harder and harder to detect these things.
A few useful things wordpress bloggers can do to further protect their sites is:
1. Install the Login lockdown plugin – This will prevent brute force attacks on your wordpress login page.
2. create a blank index.html file and put it in your plugin directory – this will prevent people from seeing what plugins your using by typing an address in their web browser.
3. chmod your wordpress files – your user account should have read, write, and execute, the system should have read and execute, and the public should have read only..by default, most hosts are not set up this way. This can help make it harder for hackers to inject code into your wordpress files.
there are other things you could do as well, but these 3 steps will help out a ton.
good post, keep them coming
Ron, excellent ideas where were you when I needed you?? If you ever care to do a guest post more in-depth I would certainly publish it as I know there are tons of bloggers/website owners who could use this valuable information that you seem to know. Thanks so much for stopping by my blog and leaving such an informative comment it is greatly appreciated. Have a Happy New Year! Hope to see you here again soon. JJ
Avast has detected a malware virus on my computer i have already placed it in the virus vault? Is it safe to delete it?
Wow! Thank you! I continually needed to write on my blog something like that. Can I implement a part of your post to my site?
Thank you for visiting MomsCashBlog and I appreciate your comment regarding the post.In regards to whether you can implement part of the post, feel free to do so. I just ask if you would please use a link showing that it came from my post and blog. Again thanks and I’ll have to get over to your website and check you out. Thanks jj
Great goods from you, man. I’ve understand your stuff previous to and you’re just extremely fantastic. I actually like what you have acquired here, certainly like what you’re stating plus the way in which you say it. You make it entertaining and you still take care of to maintain it wise. I can’t wait to read far more from you. This is actually a tremendous site.