Stop Letting Them Get Away with It!
Cyberbullying Report
Anti-Bullying and Internet Safety Services

Over 22,000 Sites Hit in Malware Distribution Attack

8/20/2011 - Over 22,000 unique domains have been hijacked so far this week including the Cyberbullying Report Anti-Bullying and Internet Safety Services website in a massive attempt to install malicious software on users computers. The attack began by stealing passwords from FTP clients belonging to webmasters before uploading corrupt files to their servers containing code capable of downloading software too malicious for some leading antivirus programs.

Cyberbullying Report experienced this attack first hand when its lead developer found a rogue security software program called Win 7 Home Security 2012 installed on his computer during the first week of August. The virus operates by taking over Windows security programs and displaying fake anti-virus scans with prompts to buy the full version of the software. Initial attempts to remove the virus using Norton Antivirus failed and the program had to be removed using Malwarebytes Anti-Malware, but not before it was able to steal file transfer protocol (FTP) credentials saved on the computer for use with the FileZilla FTP client for Windows.

Nearly two weeks after removing the malicious program Cyberbullying Report crashed due to a malicious script that was mysteriously appended to the code of its index pages. Fortunately for users Cyberbullying Report utilizes ASP.Net MasterPages that require all HTML code on content pages to be placed inside specially coded areas of the page known as content placeholders, so instead of rendering a vicious inline frame capable of downloading a copy of Win 7 Home Security 2012 users were greeted at runtime with a server error message. Cyberbullying Report was able to fix this problem by re-uploading its files, but frequently found its efforts to be useless until FTP password changes were made.

The exact cause of the problem remained unknown until Cyberbullying Report discovered itself on a lengthy list of victimized sites published by Armorize Technologies, a leading provider of network security solutions. Armorize has been profiling this ongoing series of attacks in detail and it only took one look at a screenshot to put the pieces together. According to Armorize the virus is downloaded using browser exploits before stealing FTP credentials, downloading files, appending malicious code, and uploading them. Google results alone indicate that over 536,000 web pages on at least 22,400 domains have been hit so far.

For Background Information Visit:

Cyberbullying Report with Malware Removal Instructions:

http://cyberbullyingreport.com/bully/win-7-home-security-2012-hijacked-my-pc-until-i-removed-it-219.aspx

Cyberbullying Report on Latest Attack:

http://cyberbullyingreport.com/bully/win-7-home-security-2012-hacked-my-site-with-stolen-password-226.aspx
Video Demo of Virus in Action

There Are 0 Comments

Login to Comment