Protection against viruses that steal FTP passwords

Recently, several customers have told us that pages on their Web sites have been modified without their knowledge. Upon investigation, the customers found their computers had been infected with a virus that steals saved FTP passwords, such as the “Gumblar” or Trojan.PWS.Tupai.A virus.

We’ve taken a step to protect you against this problem (described below), but it’s wise to protect yourself, too.

The way these viruses work is:

• You visit an infected Web page (on someone else’s site, not your own site) that loads a virus onto your personal computer.
• The virus examines your computer to see if you use any common FTP programs, and whether you’ve told those programs to save your username and password.
• It sends the usernames and passwords to a server controlled by “hackers”.
• The hackers make an automated FTP connection to our servers and download any HTML or PHP files they find.
• They modify those files to add HTML code (an “iframe” tag) that spreads the virus, then upload the changed files back to our servers.
• Your site starts spreading the virus to new victims.
• Within a few days, your site will be marked as “This site may harm your computer” on Google, causing the number of visitors to drop dramatically.

Obviously, you don’t want this to happen to you. It’s bad enough to be infected with a virus, but it’s even worse for your Web site to get a reputation as “harmful”.

The first thing to do is protect your computer against this kind of virus. Make sure that you’ve updated Windows and any Web browsers you use. Also make sure you’ve recently updated Adobe Reader or Adobe Acrobat (which allow your Web browser to display PDF files), since many Web viruses are spreading through an Adobe security vulnerability discovered just two months ago. (You can download the latest version of Adobe Reader from this page on the Adobe site.)

It’s also a good idea to scan your computer for “malware” every so often. Some of these infections disable standard virus scanners, so checking with a different program is wise even if you think you’re protected. One product that can detect these kinds of viruses is Malwarebytes.

If you’re really concerned about this, you might also avoid saving your password in your FTP program. It’s a little less convenient to type it each time, but it prevents these viruses from getting your password.

We mentioned that we’re doing something to protect you, too. We’ve modified our FTP servers to scan uploaded HTML and PHP files and automatically remove malicious “iframe” tags. If your computer does get infected with this kind of virus, this can prevent your site from spreading it and being listed as “harmful” in Google. (We’ll notify you if the system alters one of your files.)

Our servers currently only look for a couple of common “iframe” exploits, and we certainly can’t guarantee that we’ll catch them all. But it’s a good start — we’ve already caught and prevented several Web site infections.

Update 2009-05-19: The virus now also spreads via a “script” tag that we cannot filter out. Please see our newer post for more details.

Update 2009-10-01: The virus is also spreading through certain versions of the Adobe Flash player. You can update your copy from this page on the Adobe Web site. (These mentioned programs are not meant to be a comprehensive list of all vulnerabilities — you should keep all of your software up to date.)