A couple of our customers have experienced hacks to their websites this last week, with malicious code (or malware) added to several pages. Normal visitors to the site have a little extra script added when they load the page, which good antivirus software will identify as a malware script. Kaspersky Labs identifies the Trojan loader as Heur: Trojan Script Generic, which is a generic Trojan loader identified by a heuristic algorithm. Alternatively, it may be identified as as Blackhole Exploit kit by other AV products.
Analysis of samples of the inserted code show some common strings, which can be used to find the script on an infected website. This appears to have been inserted by an automated script loader, probably a bot using brute force to guess FTP passwords.
< b o d y>< d i v id="w3stats">
< s c r i p t language="JavaScript" type="text/javascript">
window.w3ssss=function(){
=== Script Link and other code removed ===
CheckBody();
< / s c r i p t >< / b o d y >< / h t m l >
A quick Google search reveals that quite a few sites have had this little addition. If you find that you have been infected, carry out the following actions as soon as possible:
- Search the code on each page for the string “window.w3ssss”
- Remove the offending code from all of the pages where it has been installed
- Change all your site passwords, including FTP
- Monitor the site regularly for reinfection
Thousands of website owners are unaware that their sites are hacked and infected with malware scripts. Here are a few useful links to help: