iFrame viruses

In g33k movie classics such as Hackers, starring Angelina Jolie, computer viruses are portrayed as funny images that show up on your screen and their primary goal is usually to delete data. If it was true nowadays, life would be so much easier.

You see one, you unplug your computer, done.

Unfortunately today viruses changed completely. Not only they don’t look the same (actually you can’t usually see them) but they also serve different purposes – mainly mining users’ private information such as login details to bank accounts, e-mails, web services, etc. Distribution channels for viruses also changed. Prime way of getting a virus is of course on the web: through e-mail attachments, dodgy websites, downloading files, etc. Of course you can also get a virus by more conventional means such as by plugging-in an infected USB stick.

One particularly nasty group of viruses that our blog fell a victim to last week, is iframe virus. It’s not necessarily what the virus does that is so nasty, but rather how it spreads. If you visit an infected site using non-safe browser such as Internet Explorer 6, you may get infected and then the virus will mine your data looking for FTP login details. If it finds username and password for FTP server, it will connect to the server and infect the site that it hosts.

This is not to say that it’s the only way such viruses spread. iframe viruses can spread via e-mail attachments and infected file downloads too, but their goal is to plant the iframe on as many websites as possible. Once that’s done, the iframe on the website can either be used for fairly “inocent” purpose such as generating ad clicks for its owner or it can be used to mine other confidential data besides FTP access.

So how do you protect yourself? First of all, use a modern browser. Than would be Firefox, Safari, Google Chrome, Opera, Internet Explorer 7 and higher. Of course, make sure your browser is always up-to-date because the way those viruses spread is by exploiting vulnerabilities in the browser (especially IE6!). Also be smart about where you go. Most browsers now warn you if you are about to enter a page that is suspected to be infected. Do not ignore those warnings even if it’s our blog you’re visiting.

If you know you got infected, you should scan the files on your computer and your FTP site ASAP. Also, let your hosting company know what happened – they need to know. Change your FTP password and the password for CMS system you use, be it WordPress, Joomla, CMS Made Simple, or other. Also, go through your site and check for iframe tag. Remove everything that you don’t recognize.

You can then check to see if Google still sees your site as a threat, by visiting Google Safe Browsing diagnostic page.

At Host1Plus we scan every server with antivirus software as well as our own custom script for iframe virus removal. However that does not mean you should be any less cautious. Please report any suspicious activity to us.