Friday, October 15, 2010

Website Virus Detection

Today I would like to tell you about a new and exciting feature that we have added to the scanner – Website Virus Detection. ZeroDay web security scanner now is able to identify malware urls in the scanned websites. Some of the ulrs, especially the ones crafted with iframe HTML tag, are opened in automatic way. So, if a user visits this page, his browser will be under attack. It happens because a virus is loaded from the malware url. In other cases, site visitor needs to clicks on malicious url. As a result his browser will be under attack by a computer virus.

In addition to the fact that site visitors can be infected by computer viruses, the website itself can be removed from search engine results. Modern search engine has a capability to look for such malicious urls inside HTML pages. If malware url is found by search engine, it can block access to the legitimate website.

If a malware url is found in your website, you should clear all the pages reported. Make sure that this malware urls does not appear in other pages and not only in reported ones.

ZeroDayScan collects these malware urls from a number of resources. For example from Zeus tracker project

How the website get infected with a virus/malware url ?

Fraudsters are using automated tools to infect websites with malware urls. There are 3 types of tools that we are aware. It is possible that there are some more variants.

Automatic form submitters

Fraudsters are using automated tools to post links as a comment spam. These are the same tools used by the black hat seo people to spam links across thousands of websites. These tools can be very smart. Some of them are able to break capthas in automatic way. There are some ways to combat with these tools. Some online services exist that analyze comments submitted by users and block spam submissions.

Automatic Ftp Exploiter

These tools are very smart in the way they operate. They break ftp passwords or exploit bugs in ftp servers. Once an access is achieved, these tools look for index pages. For example index.php, index.html, default.html, etc… These tools add an IFRAME link in the bottom of the file infected. All JavaScript files are also changed in the same way – they look for files with .js extension and add malware url in the bottom of the file. You can perform a number of steps to minimize possibility that your website will be infected using this tool: always update your software, use strong passwords for ftp users, do not host your website in shared hosting, use ftp alternatives – for example ftp over ssh.

Automatic SQL Injector

These tools look for SQL injections inside website and automatically change data to include malicious urls. So if a website script shows data from a table that has malware url added to every record, these urls are displayed to the site visitor. As a result, user’s computer is under attack by computer virus loaded from the malware url. Very known example of such activity is Asprox virus. This virus exploited sites that store data in Microsoft SQL Server. To protect from such attacks it is recommended to install database firewall like greensql database firewall.

Best regards,
ZeroDayScan team

No comments:

Post a Comment