I do all my dev work inside an ubuntu virtualbox, so using my uninformed logic, even if the desktop itself is infected for whatever reason, the sandbox is a sterile environment with precautions not dissimilar to that used to minimise the risk of infection in hospital operating theatres.

While that might be true, I think the “security team” of most hosting providers don’t spend enough time learning the latest attack vectors of today’s cybercriminals. It might also be that they’re the ones who drew the short straw that week.

Many of the gumblar, martuz and iframe injections were following a relatively basic pattern. How does that escape the discovery process of a security team? Accountability is key when discussing any security situation and maybe the breach disclosure laws should be expanded to include more web based attacks as well, but until people do stand up and take responsibility for their actions, it’s just a concept not based on reality.

Maybe we’ll start the Martuz Commission. A global warning system alerting website owners, webmasters and hosting providers of the latest threats, how to check for them, how to clean them and how to prevent them.

Thank you for the idea.

While avoiding FTP is a good idea, the fact that this virus also installs a keyboard logger leads one to believe that even CPanel access might be compromised. At that point the cybercriminals could add their own FTP account then carry out more malicious attacks that very few people would even realize.

We feel that the real key here is to keep PCs clean. Please do not use a PC with administrator rights. It can be very dangerous.

The irony is that until I found Tom serendipitously through a forum a stopbadware.org, we had been getting an endless stream of well-intentioned, but wrong advice from tech support at our web hosting service, which is large and has a very good reputation in the industry. Repeatedly they kept denying after performing their own scans that there was any malware. They kept saying we needed to upgrade security, even though we were at the maximum level that their provider provides.

They also advised us to tear down all the file trees, clean them up, and reload. We did that, but still Google kept flagging us. It was sort of like trying to cure the flu with leeches and bloodletting, and it didn’t work, of course. No one ever thought to say, even after about many wasted hours, “check the cgi-bin.”

I finally got pushy and demanded to speak directly with the head tech guy, which I did. He assembled a team, worked several hours, and finally realized there was something wrong with the cgi-bin, but wasn’t sure where it might be located. He also personally checked for code (or at least that’s what he said), but couldn’t be sure what he was looking for.

It was just then I found Tom.

It is clear to me now that, after the magnitude of this attack on the digital networks and after trying to learn as much as I could (including this blog), that we have experienced something unprecedented. It may not be equivalent to a cyber-911, but it has had a lasting effect. Fortunately, our readers were understanding, but a commercial site would have been devastated.

I agree that the “blame game” has gone nowhere, at least when it comes to web hosting services. Clearly, most web hosting tech people, including supervisors, were not informed – or had no way of knowing – about Gumblar, Martuz, etc. breadth, as well as their breadth and scope. They weren’t in Kansas anymore.

But while “blame” is not appropriate, assessing accountability is, so that it won’t happen again. We did that with 911. I’m amazed that while we heard in the press a lot about Gumblar while it was happening, we had very little information about its ability to get through the standard AV software, or the damage. That probably should have been the job of the appropriate “national cybersecurity” officials, which seemed to have failed us. Maybe they didn’t know either, which means we need far more awareness of these threats, who these cybercriminals might be (I know Tom has his theories), and how they operate.

We probably don’t need a “Martuz Commission,” but if we all remain in the dark about this, the next wave could be even more devastating. We all know about the nature of the swine flu threat, how to guard against it, and what are its symptoms. How come we don’t have the same knowledge as a public about the electronic kind of viruses, and given the time I was “down” in June and July, I would have almost preferred (well, maybe not) the biological version.

Is it a safer option to ditch the FTP programs like CuteFTP or Filezilla and simply use the hosting Cpanel to upload/download files ?

AD

I hope that I won’t have the same problem again, like I did when Mr. Thomas helped.
Regards, and thanks again.