After some investigations over my websites which
have been hacked recently, I think I now found out how they did it:
- I had surfed with a PC to an infected website (already contacted their webmaster who already removed the problem) which had some evil JavaScript injected into their html.
- The JavaScript downloaded a .pdf, causing Adobe Reader to display it, and caused to trigger a security hole inside which made it possible to run arbitrary code.
- This code downloaded some other .exe which apparently scanned my disk for popular (s)ftp programs and grabbed adresses and passwords from them
- Not sure if this program did it itself or this was done by an external bot, but with these passwords, two of my websites where changed and the JavaScript was inserted on my websites as well, probably causing the virus to spread to other people.
Fortunately, this happened during the holidays where not many people visted these websites and I fixed it within a few hours.
I reconstructed all this only with dates of files, registry entries and logs, so it might not be the full story, but I think it is pretty close to it. The bad thing is that this happened to me using the latest (or at least very very recent) versions of most software and all security updates installed. What I learned from this and what you can do to prevent the same happen to you:
- Disable plugins (flash; adobe reader etc) when surfing the web to reduce the security risk.
- Enable the data execution prevention if your CPU supports this. On another PC with which I've tried this, it prevented that security hole to work.
- Don't let (s)ftp programs store your passwords.
- I had antivirus software installed, and it noticed the thread. But it didn't prevent the problem, it just kicked in _after_ the trojan had executed already: "Hey, there is a trojan on your Hard Disk! But too late. Just wanted to let you know. You are fucked now.". So don't count on anti virus software at all.
- Do backups (I had plenty of those, fortunately)
It's easy to be wise after the event... :)
Anyway, here's the talk that briefly mentions irrFuscator: http://media.ccc.de/browse/congress/2009/26c3-3494-de-defending_the_poor.html