Even though he removed all injected code, it came back all the time. Also, he couldn't understand how his site(s) got compromised in the first place.
Until he told me what his webhosting service was..... IX Web Hosting.
A quick google search explained a lot....
There's even a blog called "IX Web Hosting Warning" to warn people for this webhosting company.
Quote from their About page:
"IX Web Hosting the incompetant cheap web hosting company was hacked in May of this year, and hackers managed to “seed” the servers, which are now injecting 1000’s of innocent paying customers websites, on a weekly basis. It has gotten so bad, and happened so frequently that even the backups are infected.
This has been going on now for almost 8 months!!… Yes that is correct, 8 months, and IX web hosting has still not fixed this massive security issue.
The worst part of this ordeal, is the fact that IX web hosting knows, and has openly admitted to certain people ( myself being one) that they have a massive issue, they still blame the innocent customers that it is their fault."
In anyway, that may also explain why so many people got infected with Win32:Daonol lately:
"Thousands of IX web Hosting customers are infected with this code, and they do not even know it! The web Page looks normal, but this can be very dangerous, your website will eventually drop from ALL the mayor search engines, and your domain will be flagged as “Dangerous Malware” by all the search engines."
Lesson learned: Avoid IX Web Hosting - Avoid sites being hosted with IX Web Hosting, because you may get infected.
Saturday, January 31, 2009
Thursday, January 22, 2009
This is about the Searchengine Hijack I blogged about a couple of months ago. Files responsible for this hijack are sysaudio.sys or wdmaud.sys, present in the system32 folder - detected by most scanners as Win32:Daonol.
Someone notified me yesterday about a version of Win32:Daonol which is a bit different than other versions.
The malware author(s) decided to add "Miekiemoes rules" under file description in one of its versions.
Again, another proof why not to believe what malware tells you :P
This is what you get when you hover your mouse over the malicious wdmaud.sys:
I only have above screenshot. The person who uploaded this screenshot for me already deleted the wdmaud.sys, so no sample available. In anyway, thanks for the screenshot.
Sample is welcome (only above version).
Edit - Sample received - Thank you blogreaders :)
Wednesday, January 14, 2009
This is another common problem I see in forums lately. This especially since more and more malware targets firefox as well.
An example we see in forums lately is "Yoog Search". This is a searchengine Hijacker - comes with a variant of AdRotator/IconAds Adware.
The Firefox startpage + searchengine / Searchsettings get hijacked and even though the malware (responsible for changing startpage+searchengine) is gone/deleted already, if people want to change it back to default again, or change it back to their own startpage / searchengine, firefox won't save the settings.
So after a next Firefox session, the Hijacked startpage / searchengine etc is back again.
The cause is a user.js file present inside the Firefox profile folder. So, in this case the %APPDATA%\Mozilla\Firefox\Profiles\"identity" folder.
The user.js file does not exist by default and was in this case added/modified by malware.
This file is used to set or reset preferences to a default value. For example whenever the browser is loaded, the values present in the user.js file will supersede the stored values in the prefs.js file.
The prefs.js file contains the values you can access/modify via about:config or via the preferences in Tools > Options Menu in Firefox.
See here for more info about the user.js file.
I've also seen the same where malware changed the Proxysettings and created a user.js file to store the Proxysettings there. Result > once the malware was removed, the user would get the error: "The Proxy Server is Refusing Connections" since the user.js file is still in use.
Some versions of the Ask Toolbar also create a user.js file in the Firefox userprofile, so after uninstalling the Ask Toolbar, the homepage + searches are still set to Ask.com because the user.js file is still present.
That's why, if you're ever having problems with Firefox that won't save settings like startpage, searchengine, proxysettings etc.., then look if a user.js file is present in the Firefox profile folder and delete or modify it.
The presence of user.js in the Firefox profile folder doesn't necessarily mean that it's a bad file. Many people create their own user.js to supersede the stored values in the prefs.js file. So if you didn't create the user.js file yourself, you may delete it (since it's not present by default anyway).
If you're not sure, just rename it to user.js.bak, or open the file with notepad to see what values are present there.