Archive for malware

Jul
29

Rogueware on the Rise

Posted by: | Comments (0)

With so much attention on email spam and trojans it is interesting to note that one of the fastest growing forms of malware is in fact rogueware. And not only is it becoming extremely popular, but it has also proved to be very effective.

Rogueware is basically any form of software that is represented as the genuine article, but is in fact a keylogger, virus, etc. The most common software that is used for rogueware is anti-virus software. The distribution can include less than upstanding means such as browser popups (a machine infected with other forms of malware might in fact bring up popups that direct the user to buy a certain anti-virus software) and spam, but can also be through normal marketing channels such as a web site that is selling anti-virus software. Some have even purchased Google Adwords and banner space.

How it works is simple. The victim purchases the software or downloads a trial copy and installs it on their computer. The software install then carries its payload on to the computer in the form of some type malware such as a keylogger, virus, or Trojan.

There are new variants of this that include a free scan of the computer not unlike real anti-virus companies like Kaspersky and McAfee. The free scan variant will proceed to “scan” your system all the while installing malware on your system.

In both methods, the user signs off on the software allowing it to bypass most forms of security. It might even give you a message like Norton where it says this antivirus software is not effective while other antivirus software is running please disable your antivirus software before scanning.

Now the numbers. In 2008, 92,000 different types of rogueware were spotted. In the second quarter of this year there have been 374,000 new forms of rogueware. This is double Q1 of this years number which was nearly double all of last year. The jump from 2008 Q4 to 2009 Q2 is a 748% increase and now security experts are estimating that Q3 of this year will have around 637,000 new forms of rogueware.

Categories : Security
Comments (0)

Web security is a very important part of Web development. We have software and hardware security solutions that cover everything from email to servers, databases, policy changes, and more. But is everything covered?

Do we have a womb to tomb product line for every part of a Web site? Prior to yesterday I could say yes, but I would also have to say with equal measure, no. Let me explain.

In the second half of 2008, 57,000 phishing attacks that target specific brands or organizations were launched from some 30,000 sites.  Of these sites, only around 5,500 were from phishing sites. Roughly 81% of the attacks came from legitimate sites that had been hijacked by phishing schemes.

To put this in even greater perspective, VeriSign recently released a report stating that 88% of US web users can’t identify phishing sites.

To help combat this, browsers, search engines, and security companies have been creating blacklists to prevent people from getting infected. So this of course is where I say there was a tool to secure this part of the daisy chain. However, if you are one of those legitimate sites that got blacklisted… well it doesn’t help, really, does it?

What’s more, those who find that there sites were blacklisted by Google (and by FireFox through proxy) can see a huge loss of traffic.

So the solution to the problem is to blacklist the site and keep users from getting infected but does little to help web developers. What is a web dev to do?

A new security company, Dasient has an answer. Well three answers.

  • Free Blacklist finding tool
  • Premium Monitoring Service
  • Quarantining Service

The first two can be found at their web site Dasient.com, the last is currently in private beta.

The Blacklist tool is fairly straight forward. Put your URL into the online tool, or sign up for alerts and monitoring, and Dasient checks your site to see if it was blacklisted. This is a free service and I don’t see why you wouldn’t. The alternatives can be loss of all trust, loss of traffic, and in the end, loss of money.

The second tool is a monitoring service that crawls your site and looks for malware content such as iframe and javascript. It then gives your a report that tells you what pages are (if any) infected and what is the code being used so you can remove it. I will talk more of this later once I have had a chance to fully explore it.

The last one is an interesting service and I think it will really make a splash at this year’s HostingCon.

I have more information on these services so stay tuned!

Categories : In the News
Comments (0)

The latest botnet attack named Gumblar has been attacking the Internet for a few weeks. ScanSafe named this attack Gumblar because it functions out of the website gumblar.cn. Researchers and security experts believe Gumblar infects a site through the FTP. Weak passwords, poor permissions, etc. open the doors to the Gumblar Trojan.

First thing to do if you suspect your site has been compromised is to check it. There are numerous ways of doing this, you could use Google Chrome and go through your site, you could do a search for pieces of Gumblar code, or you can use a utility such as Malwarebytes.

Code injected into a site can be small (a few lines of code) or can be a varietiable War and Peace. The code to search for is (function(  and .replace(. The code is normally found before <body> tags in HTML code or at the end of a .JS file. The code, so far, only compromises HTML, JS, and PHP files.

Now that you found it, the next step is up to you. You can opt to remove all the code or you can lockdown your FTP first. This really depends on what your site does. If it has a lot of traffic then I would suggest removal first then lockdown. Getting that code off of your site so it doesn’t affect your audience is a top priority.

To do this you could use third party software or you can do it by hand. Personally, I always go for by hand since I know that I will find all iterations of the problem. Using the search method, you can comb through your files quickly, deleting all of the Gumblar code. Also you should delete any folder that has only image.php files in them.

Locking the site down starts with changing the FTP password. Make sure the new one is long, and filled with characters, numbers, letters, etc. Once that is done look through folder and file permissions, if you site requires that some files/folders need write permissions that is fine but make sure only those things have them.

Gumblar’s rate of infection has grown by 188% over the last week, but with a little effort, your site can keep from becoming a statistic.

Categories : Commentary
Comments (1)

About Us

WebHostBlog comes from the creators and former staff of WebHostMagazine.com. WebHostBlog has been a source for Web hosting information and marketing tips since 2003. Along with news and information on the Web hosting industry WebHostBlog.com has covered topics such as business strategy and marketing and continues to be a quality resource for host related subjects. Read More

Contact Us

We work long hours, however we are always interested in hearing what you have to say. So if you have any ideas, comments, questions, death threats, or have a business proposal let us know!

For information on getting a hold of us, you can find our contact information on our Contact Us page

Special Thanks

Our staff has been working with Web Hosts and Web Host finders and news and information sites for over 20 years now and on behalf of those who knew us at The Ultimate Web Host list, Web Host Directory, Web Host Magazine, Web Host Blog and other sites, we'd like to say thank you for helping to build this amazing industry. And we'd like to give a special thanks to many of you who have contributed to these pages, and to Web Host Magazine when we owned and ran it for 14 years. Thanks for your help and advice!
. . . . .