Network News

X My Profile
View More Activity

PC Infections Often Spread to Web Sites

Most people are familiar with the notion that a computer virus can be passed from PC to PC, but many folks would probably be surprised to learn that a sick PC can often pass its infection on to Web sites, too.

Some of the most pervasive malicious software circulating today (e.g., Virut) includes spreading capabilities that hark back to the file-infecting methods of the earliest viruses, which spread by making copies of themselves, or by inserting their code into other files on the host system.

Malware often modifies existing files on the victim's PC to maximize the chances that infected files will be shared with and downloaded onto new host systems. One of the most effective ways of doing that is for malware to inject copies of itself into all of the HTML files found on a victim's computer.

The end result could be this: If the victim is also responsible for maintaining a Web site, there is a good chance that any HTML files subsequently uploaded from the victim's PC to his or her Web site will also harbor copies of the malware. In most cases, the malware is little more than a script that silently redirects the visitor's browser to a malicious Web site, which in turn tries to install rogue software by attempting to exploit a kitchen sink full of known security flaws. Nevertheless, this approach can turn a single PC infection into a much larger problem.

Recently, attackers have been hacking into massive numbers of Web sites in a bid to stitch their exploit code into them. While some have been quick to blame those mass compromises on lazy system administrators who fail to keep their sites updated with the latest security patches, the folks over at StopBadware.org say they are seeing an uptick in reports of Web site break-ins that originated with a PC infection.

StopBadware says this particular malware spreading technique involves the automated theft and use of compromised FTP credentials from infected systems (I wrote about this activity in a recent post, The Scrap Value of a Hacked PC). From their advisory:

Specifically, the local malware seeks out saved usernames and passwords in popular FTP clients like CuteFTP and Filezilla and then uses the stolen information to upload modified code to the web server. This leads to a frustrating cycle for the unsuspecting website owner, who discovers bad code on his/her site, fixes the problem, and then finds the site infected again a day or two later.

StopBadware suggests that one easy way to prevent this from happening is to refrain from storing passwords in FTP client software. But this is also a reminder that if you find yourself in the unfortunate position of having to clean up a computer from a virus infection, it's always a good idea to scan any HTML code and scripts for sites you maintain to make sure you're not passing along the disease to the rest of the Internet.

Finally, if you have questions about security, privacy, or anything tech-related, please don't hesitate to drop it in the queue for Security Fix Live, a live online discussion that I'll be hosting at 11 a.m. ET tomorrow.

By Brian Krebs  |  July 16, 2009; 4:43 PM ET
Categories:  Latest Warnings , Safety Tips  | Tags: pc infections, web sites  
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: Spammers, Virus Writers Abusing URL Shortening Services
Next: Firefox Update Plugs Critical Security Hole

Comments

I really enjoy your reporting, Brian. Your thoroughness shows.

News of the Internet's inherent dangers just keep on coming, and something has to be done to get users focused on best practices.

Sounds like something you could do as a service to your readers. A constantly updated summary of current threats and responses, sponsored by the Washington Post.

Posted by: Dawny_Chambers | July 16, 2009 7:36 PM | Report abuse

Brian: You and your security sources do a really good job -- a job of scaring the daylights out of users. Without that result, neither you nor your sources would have an income. I've been on the Internet for nearly 10 years and I've never knowingly had a virus, have seen few worrisome evidences of spyware, have never had my computer taken over by malicious people, and get a good night's sleep when putting the computer to bed. Sorry to disappoint you. Cheers from San Francisco!

Posted by: lienkirk | July 16, 2009 8:13 PM | Report abuse

Ditto what Dawny writes. I've recommended your column to every db administrator I know.

Question. If you design web pages on a Mac could your site keep the bug and infect visitors who have pc's? Thanks.

Posted by: Leofwine | July 16, 2009 8:13 PM | Report abuse

Leofwine, Yes the Mac could infect PCs if it passed infected files. HTML files are operating system agnostic.

Posted by: oldno7 | July 16, 2009 9:03 PM | Report abuse

Brian: You and your security sources do a really good job -- a job of scaring the daylights out of users. Without that result, neither you nor your sources would have an income. I've been on the Internet for nearly 10 years and I've never knowingly had a virus, have seen few worrisome evidences of spyware, have never had my computer taken over by malicious people, and get a good night's sleep when putting the computer to bed. Sorry to disappoint you. Cheers from San Francisco!

-------------------
So explain the hundred of thousands of zomby machines. The thousands of exploited web sites? People like you are the reason that this happens. You are the type of people that ignore security warnings, ridicule people that give them.

I have been in companies where every single computer was infected with virus's. It was passed via the intranet(not internet, but internal network). I have seen people infect their friends by sharing files. I have followed links that lit up my virus detection like the 4th of july.

I am of the firm beleif that if people(like you) allow their machines to be infected, being warned, and don't clean it. You should have your internet cut off by the ISP. You should be put on a black list and not able to get internet service. When/if you do get internet service again, the ISP should monitor your machine for high activity. It should also throttle your internet so that it will be very difficult for you to infect others.

People need a wake up call, and what I just described will do it. When national web sites are brought down due to ddos attacks from infected machines. No security restriction is to great. Your a fool, and you are a prime target for people that do spread this. And you deserve it by your attitude. Hope they melt your machine when they attack you so that you are unable to spread to others.

By the way. When was the last time you did a virus scan?

Cheers from the real world.

Posted by: LiberalBasher | July 16, 2009 9:18 PM | Report abuse

Brian

I hope LiberalBasher's view lacks merrit, but if my machine runs a scan on all incoming e-mail due to my anti-virus program, how is it that major web sites do not do likewise. HP has several free tools for exactly that purpose ???

Posted by: brucerealtor@gmail.com | July 17, 2009 3:21 AM | Report abuse

Where is the wisdom? We all know what can happen and still with all precautions it still happens.

When virus scanners detect a virus - big deal - usually it is something else, sometimes the virus scanner itself removes/deletes/vaults important OS files, so it doesn't boot again.

Solution? Backups of course and that frequently and without connected to the internet. Better if you run Windows run it in a Virtualbox - with a Linux host. In case the Virtualbox gets infected - just close it and delete the OS File and copy the old one.

Posted by: holocaustgaza | July 17, 2009 4:02 AM | Report abuse

Simply put, Brian, you are the most valuable reporter at WaPo. It is amazing to me how you stay so on top of PC news. You're a must-read for IT types and PC users. If only the rest of WaPo worked as hard and was as useful...

Posted by: gbooksdc | July 17, 2009 6:43 AM | Report abuse

Well done as usual Brian. I'm a little confused though. Wouldn't this script be visible when doing a proofread of your code prior to uploading? Or is it just exploiting people who snag a copy of frontpage and call themselves web designers?

I always look over my code first. Mostly checking for hrefs and orphan tags and to make up for my scatterbrained file system, but I think I'd notice a redirect script.

As always, there is some personal responsibility involved here. You glance over your shoulder at the ATM don't you? Be careful out there.

Posted by: nourider | July 17, 2009 9:54 AM | Report abuse

@Nourider -- sometimes yes, sometimes no. often, the code added to HTML files is nothing more than a one-line . In other cases, it's obfuscated javascript that includes unescaped characters and other apparent gibberish.

Posted by: BTKrebs | July 17, 2009 10:27 AM | Report abuse

The point with such infected html files is that it may be easy to read if you directly view your code, but if you use automated coding tools like Frontpage, DreamWeaver and related WYSIWYG programs, (or use the - Save as HTML functions of MS Office perograms like Word) and don't actually check your code directly, you'd never know your files had been changed. Also, if you use simplistic FTP programs as Bryan mentioned instead of more secure SSH tools, the upload fuunction could be compromised as well.

Posted by: webdevgal | July 17, 2009 11:25 AM | Report abuse

Brian,
Thanks for the heads up in your article above. I'm not sure what I enjoy more reading your articles or the comments that follow afterwards. For instance, I wonder if lienkirk actually uses any type of anti-spyware program or anti-malware program since he is so confident that the security warnings that are issued regarding PCs are nothing but hype :-))

Posted by: Kaynice | July 17, 2009 1:00 PM | Report abuse

Dear Brian:

I think your posts are clear, concise, and easier to understand. I like that your style tries to make it easier for us less-than-expert people to understand.

You have a big fan here!!

Posted by: EZReader1 | July 17, 2009 1:25 PM | Report abuse

@LiberalBasher: It's quite possibe lienkirk really has been free of infections all that time. Antivirus programs are important -- and lienkirk never said he doesn't use them -- but the most critical protection is to be very cautious about what you download, to avoid using Internet Explorer, to turn off javascript by default with a utility like Noscript, to install patches for all the software you use when on line, etc.

@lienkirk: That being said, unless you are going to go without most of what the internet has to offer, you are still not completely safe. Bad guys can find exploits of popular programs before anyone else, and if you're unlucky, you could be one of the people who get burned before a patch is released. Trusted sites can be pwn3d through mechanisms like that described in this article, and some VERY trusted sites have been hacked through other means. Unless you review the html source on every web page you visit before you allow javascript, you could be victimized. The best AV programs on the market still miss a significant number of trojans the first day they start being spread.

There is usually a window between when a problem is discovered and when it is fixed, and having a blog like this one to give web users a heads up can save them a lot of headaches.

Posted by: AlphaCentauri | July 17, 2009 8:19 PM | Report abuse

Brian,

Your well-researched and highly informative columns should be required reading. Indeed, I regularly cut, paste and send them to clients (and woe unto those who call me to fix a problem you have already discussed - along with how to avoid it). Needless to say, another huge fan.

All the best.

Posted by: AJNorth | July 18, 2009 3:50 AM | Report abuse

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company