There have been numerous unrelated web-sites intrusions lately. The result is that a malicious script (usually a modification of Trojan-Downloader.JS.Psyme) is put on the server in place of the original index* file, so that when a user visits the web-site the script is immediately executed. During the script execution a known/patched Microsoft IE vulnerability is exploited, which leads to the user’s PC getting infected with a Trojan spy. Inside the script, links to the Trojan usually (but not always) refer to some “sp.php”.
How could the intrusions have been conducted? There are a few possible scenarios:
1. A live hacker intrusion.
The large number of very similar cases reduces the probability of this scenario to zero.
2. Massive automatic exploitation of web-server services.
Some of the logs of infected systems that I’ve had access to show that the malicious scripts are being uploaded via FTP and using existent FTP logins. This means that a hacker (whoever or whatever s/he/it may be) has had access to the server’s logins+passwords – at least to some of them. OK, so the password file could be got via a server vulnerability & the passwords could be cracked – given the MD5 algorithm isn’t the most up-to-date thing these days. But this scenario isn’t at all likely – according to the system logs, no tampering with system services have been registered. The only intrusion-related action registered is a direct FTP logon followed by files being uploaded – it may seem like a contradiction in terms, but the intrusion was absolutely legal.
So what are the remaining probable/ possible intrusion scenarios?
Discarding the idea of sniffing, which is very unlikely, the only possibility left is…
3. Passwords stolen from end user machines.
What I’m picturing is a Windows Trojan, which could harvest passwords if it was being run on a website admin’s Windows box with FTP passwords stored on it (i.e. in Total Commander). This theory seems even more likely if we think about why the scripts are found where they’re found, on servers for sites ranging from well known media sites to private unindexed sites. There’s no obvious logic in it. But it can be explained by a Trojan, because FTP user/password data is stored in FTP client software along with IP-address data.
If the malicious program has got access to the IP/user/password FTP data, it doesn’t even have to send this data anywhere. It just needs to initiate an FTP session and infect the server with a malicious script – (assuming the user has appropriate FTP privileges, of course).
I strongly believe that #3 is the correct scenario, although I don’t have all the facts to prove it yet.
It may be very boring, but there’s an easy way to stop this epidemic of infected web sites:
– up-to-date MS patches,
– up-to-date AV bases,
– and a firewall.
plus all the common sense anti-virus precautions such as ‘Do not run suspicious programs’, Disable ActiveX in the browser’ etc. etc.
And finally, a specific solution to this particular problem: avoid saving user/password data for FTP services (or, more generally, any user/password data) in Windows clients. The only question is, whose memory is good enough to follow this advice?