subject: The Great Internet Worm Hunt [print this page] Per Wikipedia: A computer worm is a self-replicating computer program. It uses a network to send copies of itself to other nodes (computers on the network) and it may do so without any user intervention. Unlike a virus, it does not need to attach itself to an existing program. Worms almost always cause at least some harm to the network, if only by consuming bandwidth, whereas viruses almost always corrupt or devour files on a targeted computer.
My first inkling that things were amiss came when a client reported a virus on his website. This same message soon started arriving from several other clients. I knew we had a significant problem to deal with.
I performed some online research, and sure enough quickly realized I was not alone in experiencing this problem. Numerous other web developers had posted questions and solutions in chat rooms.
I also spoke to my web hosting company, who sent me detailed and very helpful information: The culprit was a particularly nasty and insidious worm. Exploiting a hole in Adobe player software, it infects the computer of those who unknowingly visit infected sites.
The worm then proceeds to almost instantaneously invade FTP software, where present on the user's local machine. This kind of software is used almost exclusively by web developers, its purpose being transfer of files to and from websites. Effectively this was a large scale attack on the web development industry.
Having hijacked the user names and passwords, this information was quickly used to place malicious code on html, Php and JavaScript files. The hackers (or their clients) use the hijacked sites to relay millions of spam e-mails. The more web servers available to then the more spam they can send.
I had dozens of sites infected, a friend of mine literally hundreds. I spent a long, frustrating week cleaning these sites of the bad code, and of course changing all of my clients site access pass words. From one badly constructed site which I inherited from a prior developer I had to clean 85 files individually.
After cleaning the sites, they then all had to be verified using Google web master tools, which yields the result of removing Google's virus warning that users see in their search results.
The lessons I learned are twofold:
If you are a web developer always use encrypted FTP and do not store your site access details within your FTP client - this could easily happen to you.
And to the internet user at large - be aware that there will always be new and unexpected types of cyber attacks. Be very careful with passwords, use good anti-virus software always, and look out for online scams.
The internet is a dangerous arena, and will likely grow ever more so in years ahead.
