Hackers now "touch" all files

This is going to be a short post.

While working on cleaning a number of websites this past week, I’ve noticed something very different.

One of the steps we take when cleaning a website is to record the last modified date of a file with malscripts injected. This helps us identify other possible infected files. In fact our automated tools were (“were” being the key word) doing the same thing. When an infected file was found, our tool would record the date and time of the file and search all the other files with the same last modified time and scan those files first.

It’s amazing how predictable and how patterned this strategy worked.

That is until this past week.

Then we started seeing a process where the hackers (or cybercriminals, if you will) will “touch” every file.
(Note: In a Linux environment, there is a “touch” command that will create a file if it’s not already there or at least change the date and time of a file if it does exist. I’m certain there’s a way to do this in a Windows environment as well.)

This does make it more difficult to see what other files may have been affected (or infected) by the hacker’s automated program. Often times we look for the obvious pattern when trying to identify injected malscripts. We’ll just have to stick to our original strategy of checking for any changes made to files.

It’s amazing how effective monitoring change works. Once you have a known, clean copy of a website then monitor for any changes, you see everything. Soon we’ll be relaunching our service that includes full-scale, site wide change monitoring. Any changes detected will be further analyzed for potentially malicious behaviour. Any potentially malicious changes will be recorded and the website contact’s notified.

This is one sure way of knowing exactly where the malscript was injected and when. Then it’s an easy step to remove it or block it.

We’re also working on a new method of preventing websites from being hacked in the first place.
As always, check our main website for when we announce our relaunching.

Check out our new site: http://www.wewatchyourwebsite.com and let me know what you think.

Any comments?